fix: add security headers to nginx config

[wicky-zipstack]

What

• Add security headers to frontend/nginx.conf to address VAPT findings

Why

• VAPT Finding Fix skip token-usage API calls in OSS mode — fetch only in cloud  #3 (Low): Content Security Policy header was not implemented — responses from nginx had no CSP header, leaving the application vulnerable to XSS and data injection
• VAPT Finding fix: remove Git LFS dependency, fix README logo visibility and broken badge #4 (Low): X-Frame-Options header was missing from nginx-served responses, enabling clickjacking attacks
• Django middleware (SecurityHeadersMiddleware) already adds these headers to API responses, but static files served by nginx (HTML, JS, CSS) had no security headers

How

Added 4 security headers to the server block in frontend/nginx.conf:

• X-Frame-Options: DENY — prevents the page from being embedded in iframes (anti-clickjacking)
• X-Content-Type-Options: nosniff — prevents MIME type sniffing
• Referrer-Policy: strict-origin-when-cross-origin — controls referrer information sent with requests
• Content-Security-Policy — restricts content sources to prevent XSS:
  • default-src 'self' — only allow same-origin by default
  • script-src 'self' 'unsafe-inline' 'unsafe-eval' — required for React
  • connect-src 'self' https://*.visitran.com wss://*.visitran.com — allow API and WebSocket connections
  • frame-ancestors 'none' — modern replacement for X-Frame-Options

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

• Low risk. The CSP policy is permissive enough to allow React's inline scripts/styles and connections to visitran.com subdomains. Already hot-patched and verified on production (app.visitran.com) — app loads and functions correctly with these headers. The always directive ensures headers are sent on all response codes including errors.

Database Migrations

• None

Env Config

• None

Relevant Docs

• OWASP Content Security Policy Cheat Sheet
• OWASP Clickjacking Defense

Related Issues or PRs

• VAPT Report: Findings Fix skip token-usage API calls in OSS mode — fetch only in cloud  #3 (CSP) and fix: remove Git LFS dependency, fix README logo visibility and broken badge #4 (Clickjacking)
• Django-side fix already exists: pluggable_apps/middleware/security_headers.py (cloud repo)

Dependencies Versions

• None

Notes on Testing

• Already verified on production via hot-patch:

  curl -sI https://app.visitran.com | grep -i "content-security\|x-frame\|x-content-type\|referrer"
  

  All 4 headers present and app functions correctly
• After merge and rebuild, verify headers persist across pod restarts

Screenshots

N/A — verified via curl headers.

Checklist

• I have read and understood the Contribution Guidelines.
• X-Frame-Options header added
• X-Content-Type-Options header added
• Referrer-Policy header added
• Content-Security-Policy header added
• Verified on production via hot-patch — app loads correctly

[abhizipstack]

LGTM