[ENHANCEMENT] Add security headers (CSP, X-Frame-Options, HSTS, X-Content-Type-Options)

[rishab11250]

Description

The Conn Express server currently does not set any security-related HTTP response headers. This exposes the application to common web attacks like XSS, clickjacking, and MIME-sniffing.

Current Behavior

Running curl -I https://conn-delta.vercel.app shows these headers are all missing:

• Content-Security-Policy — prevents XSS and data injection
• X-Frame-Options — prevents clickjacking
• Strict-Transport-Security — enforces HTTPS connections
• X-Content-Type-Options — prevents MIME type sniffing
• Referrer-Policy — controls referrer information leakage

Expected Behavior

The server should send appropriate security headers on every HTTP response to protect users against common web vulnerabilities.

Proposed Solution

The simplest approach is to use the helmet npm package which sets all recommended security headers:

1. Run npm install helmet
2. In server.js, add after the existing middleware block:

const helmet = require('helmet');
app.use(helmet());

3. Configure the Content-Security-Policy to allow the specific external resources Conn uses (Google Fonts, Razorpay CDN, etc.)

Environment

• Node.js v18+
• Express.js
• Deployed on Vercel

Additional Context

The admin dashboard also has no X-Frame-Options which means an attacker could embed admin pages in an iframe (clickjacking attack surface).

[mayo-byte07]

use the latest version of the code and work on it
start doing and do it perfectly
any query hit me on linkedin