feat(security): enhance content security policy and add HSTS configuration

Author: n3rdc4ptn

server.ts

@@ -94,6 +94,9 @@ if (DYNATRACE_SCRIPT_URL) {
 fastify.register(helmet, {
   contentSecurityPolicy: {
     directives: {
+      defaultSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'https:'],
       'connect-src': ["'self'", 'sdk.openui5.org', sentryHost, dynatraceOrigin],
       'script-src': isLocalDev
         ? ["'self'", "'unsafe-inline'", "'unsafe-eval'", sentryHost, dynatraceOrigin]
@@ -102,6 +105,12 @@ fastify.register(helmet, {
       'frame-ancestors': [...fastify.config.FRAME_ANCESTORS.split(',')],
     },
   },
+  // Needed for https enforcement
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+    preload: true,
+  },
 });
 
 fastify.register(proxy, {