feat(backend): add fastify helmet

apps/backend/README.md

@@ -25,3 +25,5 @@ npm run test
   plugins to add custom health checks.
 - Basic multipart form handling via
   [@fastify/multipart](https://npm.im/@fastify/multipart).
+- Some default security based headers provided by
+  [@fastify/helmet](https://npm.im/@fastify/helmet).

apps/backend/package.json

@@ -15,6 +15,7 @@
     "dotenv": "^16.4.4",
     "fastify": "^4.26.0",
     "fastify-custom-healthcheck": "^3.1.0",
+    "@fastify/helmet": "^11.1.1",
     "fastify-plugin": "^4.5.1",
     "@fastify/multipart": "^8.1.0"
   },

apps/backend/plugins/base.ts

@@ -1,6 +1,8 @@
 import fastifyMultipart, { FastifyMultipartBaseOptions } from "@fastify/multipart";
 import { RegisterOptions } from "fastify";
 import fastifyCustomHealthCheck from "fastify-custom-healthcheck";
+import fastifyHelmet from "@fastify/helmet";
+
 import fp from "fastify-plugin";
 import { FastifyBase } from "../types.js";
 
@@ -10,7 +12,8 @@ async function base(
 		multipart?: FastifyMultipartBaseOptions;
 	},
 ) {
-	// TODO: should only be enabled for specific plugin contexts. So we may want to expose a function with these defaults at some point?
+	// TODO: should only be enabled for specific plugin contexts. So we may want to expose a
+	// function with these defaults at some point?
 
 	fastify.register(fastifyMultipart, {
 		limits: {
@@ -44,6 +47,21 @@ async function base(
 		...options.multipart,
 	});
 
+	fastify.register(fastifyHelmet, {
+		global: true,
+		contentSecurityPolicy: {
+			// See https://infosec.mozilla.org/guidelines/web_security#content-security-policy:~:text=recommended%20for%20APIs%20to%20use
+			useDefaults: false,
+			directives: {
+				"default-src": "'none'",
+				"frame-ancestors": "'none'",
+			},
+		},
+
+		// IE8 only, which we don't support
+		xDownloadOptions: false,
+	});
+
 	// TODO: Why do we need `as any` here?
 	fastify.register(fastifyCustomHealthCheck as any, {
 		// TODO: we should allow configuring one or multiple routes