Add config to use Rails for secure headers options (LG-5771)

[zachmargolis]

The bulk of this PR is setting up regression specs so we can remove SecureHeaders gem confidently

• The configs:

  identity-idp/config/initializers/secure_headers.rb

  Lines 4 to 9 in 27742c5

  	config.hsts = "max-age=#{365.days.to_i}; includeSubDomains; preload"
  	config.x_frame_options = 'DENY'
  	config.x_content_type_options = 'nosniff'
  	config.x_xss_protection = '1; mode=block'
  	config.x_download_options = 'noopen'
  	config.x_permitted_cross_domain_policies = 'none'

• Looks like most of our desired headers match with the defaults for Rails: https://edgeguides.rubyonrails.org/configuring.html#config-action-dispatch-default-headers

The way SecureHeaders is implemented, it stomps on the default_headers config very late in the game: https://github.com/github/secure_headers/blob/ce2ad139646f9775061159fe5c4707638fbe45c1/lib/secure_headers/railtie.rb#L21-L31

so the only way to test this code was to comment out/remove secure_headers gem entirely and make sure the specs worked as expected

This does mean that this test should be good regression for when we do remove the gem entirely

[aduth]

Re: Defaults:

• The default for X-XSS-Protection ("0") doesn't match what we had. Do we want it to?
• The default for X-Download-Options will be removed in Rails 7.1. Do we care to keep it set?

[aduth]

Can we force it to request as https: ? Edit: Or is this also related to your original comment about secure_headers gem clobbering?

[zachmargolis]

The clobbering was mostly related to the action_dispatch.default_headers this was me being lazy... but with some Googling I found that this works: 9e1077b

[theabrad]

To keep inline with the other calls in this file it should be if FeatureManagement.rails_csp_tooling_enabled?
which calls this method.

[zachmargolis]

Good point, will update

[zachmargolis]

Updated: f06ead0

[zachmargolis]

Re: Defaults:

• The default for X-XSS-Protection ("0") doesn't match what we had. Do we want it to?
• The default for X-Download-Options will be removed in Rails 7.1. Do we care to keep it set?

My original process was trying to create the minimal changes that preserve the behavior we have now. That approach meant that if we upgraded to Rails 7, or 7.1, the default headers would change and the specs would break.

Based on this comment, and to hopefully head off some future confusion, I added b621825 to keep what we now have as our default behavior in the future