Add missing security headers (X-Frame-Options, X-Content-Type-Options) to Flask responses

[marketcalls]

Description

The Flask app sets CSP and Permissions-Policy headers via `csp.py`, but is missing several important security headers that protect against common attacks:

• X-Frame-Options: Prevents clickjacking attacks
• X-Content-Type-Options: Prevents MIME-type sniffing
• X-XSS-Protection: Legacy XSS protection for older browsers
• Referrer-Policy: Controls referrer information leakage

These headers are configured in the Nginx install scripts but NOT in the Flask app itself, which means they're missing in development and non-Nginx deployments.

Affected File

• `csp.py` (lines 124-170: `add_security_headers()` function)

What to Do

Add these headers to the `get_security_headers()` function or `add_security_headers()`:

```python

Add to the security headers dictionary

response.headers['X-Frame-Options'] = 'DENY'
response.headers['X-Content-Type-Options'] = 'nosniff'
response.headers['X-XSS-Protection'] = '1; mode=block'
response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
```

Acceptance Criteria

• All four headers present in Flask responses
• Verify headers using browser DevTools (Network tab → Response Headers)
• Application still loads and functions normally
• No CORS issues introduced

Skills You'll Learn

• HTTP security headers (OWASP)
• Clickjacking and MIME-sniffing attacks
• Flask middleware/after_request hooks

[LuckyAnsari22]

Happy to pick this up. Quick question — should we also add Strict-Transport-Security for HTTPS deployments, or keep it limited to the four headers listed here? I'll start with just the four and can expand if needed.