Includes new secure_app fixture that gets an A+ from Mozilla Observatory

[#165481690]

fixtures/secure_app/Staticfile

@@ -0,0 +1,5 @@
+location_include: includes/*.conf
+force_https: true
+http_strict_transport_security: true
+http_strict_transport_security_include_subdomains: true
+http_strict_transport_security_preload: true

fixtures/secure_app/index.html

@@ -0,0 +1,10 @@
+<html>
+  <head>
+    <title>Secure Static file demo app</title>
+  </head>
+  <body>
+    <p>
+      This is a demo app that will receive an A+ when run against the <a href="https://observatory.mozilla.org">Mozilla Observatory</a>
+    </p>
+  </body>
+</html>

fixtures/secure_app/nginx/conf/includes/headers.conf

@@ -0,0 +1,5 @@
+add_header Content-Security-Policy "default-src 'none'; base-uri 'none'; form-action 'none'; img-src 'self'; object-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'none'";
+add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options DENY;
+add_header X-XSS-Protection "1; mode=block";
+add_header Referrer-Policy no-referrer;