security: add security response headers to HTTP API [4/5]

[rsampaio]

Add a middleware that sets standard security headers on every response:

• X-Content-Type-Options: nosniff (prevents MIME-sniffing attacks)
• X-Frame-Options: DENY (prevents clickjacking via iframes)
• Cache-Control: no-store (prevents proxy/browser caching of health data)

Description

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

• New Features

  • Enhanced application security by implementing security headers in all HTTP responses to protect against common web vulnerabilities.

• Tests

  • Added comprehensive test coverage validating the implementation of security headers in application responses.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: f049839c-e9c0-4149-b180-9ff062d42b25

📥 Commits

Reviewing files that changed from the base of the PR and between 47dab0c and 817d4a0.

📒 Files selected for processing (2)

• internal/server/handlers_test.go
• internal/server/server.go

---

📝 Walkthrough

Walkthrough

A new security headers middleware is added to set three HTTP response headers (X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Cache-Control: no-store) for all requests. Test assertions are added to verify these headers are correctly set.

Changes

Cohort / File(s)	Summary
Security Headers Middleware internal/server/server.go	Added securityHeaders() middleware function that sets three security-related HTTP response headers and registered it in installMiddlewares() alongside existing gin.Recovery() middleware.
Middleware Tests internal/server/handlers_test.go	Added three assertions in TestInstallMiddlewares to validate that the GET /test response includes X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and Cache-Control: no-store headers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit hops with headers held high,
Shielding requests as they swiftly fly,
No sniffing, no framing, no stale cache in sight,
Security middleware keeping responses tight! 🛡️

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding security response headers to the HTTP API. It accurately summarizes the primary objective of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/add-response-security-headers

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}