APPT-1271 NextJs HTTP protocol headers (HSTS, Content-Type, CSP)

[jsed-nhs]

• Apply no-sniff and https header config to nextJs config.
• Apply CSP (Content Security Policy) to nextJs middleware as it needs to use a nonce generation and pass-through pattern to allow inline styles/scripts/fonts from nextJs own middleware generation.
• Set no-cache pattern for nextJs pages only (still cache scripts etc...), as the dynamic nonce needs to generate each time (small performance cost but much higher security)
• Disable 'bypassCSP' playwright config to allow new CSP policy to apply to all playwright tests.
• Add test validation in playwright to fail the test with a [CSP] error if any exist (proof this works in screenshots below)
• Move any and all existing inline-styles to css classes - as these fail the CSP policy.
• Update jest tests affected by DOM change

TODO

• (After merge) Need to investigate impact on each env as it goes through, as environment config values for the 'connect-src' policy for CSP may differ from local and CI mocked OIDC server.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud