feat(.htacess): add some HTTP security headers (Permissions-Policy, COOP, CORP, COEP)

webapp/public/.htaccess

+############################################################################################################
+######### Symfony framework ################################################################################
+
 # Use the front controller as index file. It serves as a fallback solution when
 # every other rewrite/redirect fails (e.g. in an aliased environment without
 # mod_rewrite). Additionally, this reduces the matching process for the
@@ -68,3 +71,63 @@ DirectoryIndex index.php
         # RedirectTemp cannot be used instead
     </IfModule>
 </IfModule>
+
+
+############################################################################################################
+######### Comptoir-du-Libre software  ######################################################################
+
+<IfModule mod_headers.c>
+
+    #### Webperf #############################################
+
+    # HTTP "Cache-Control: immutable" headers
+    # for CSS and JS files to use the browser's cache to the maximum (cache busting is mandatory)
+    #   - For Firefox, thhe HTTP "Cache-Control: immutable" header will be honored only if the content is served in HTTPS.
+    #   - Chrome does not actually support immutable at the moment, but has its own new heuristics
+    #   - MDN documenation                  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
+    #   - Blog post                         https://www.nicolas-hoffmann.net/source/1710-Deployer-cache-control-immutable-avec-du-cache-busting.html
+    <FilesMatch "\.(js|css)$">
+        Header set Cache-Control "public, max-age=31536000, immutable"
+    </FilesMatch>
+
+
+    #### Security #############################################
+
+    # HTTP Permissions-Policy header
+    #    - W3C Specification                https://www.w3.org/TR/permissions-policy/
+    #    - W3C Permissions Policy Explainer https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md
+    #    - W3C Policy Controlled Features   https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
+    #    - MDN documenation                 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
+    #    - Chrome documenation              https://developer.chrome.com/docs/privacy-sandbox/permissions-policy/
+    #    - Permissions-Policy Generator     https://www.permissionspolicy.com
+    Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=()"
+
+    # HTTP Cross-Origin-Opener-Policy (COOP) header
+    #    - WHATWG Specification             https://html.spec.whatwg.org/multipage/browsers.html#cross-origin-opener-policies
+    #    - MDN documenation                 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
+    #    - Chrome documenation              https://web.dev/security-headers/#coop
+    #    - Chrome documenation              https://web.dev/coop-coep/
+    #    - Scott Helme blog post            https://scotthelme.co.uk/coop-and-coep/
+    #    - Pentesting guide                 https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#coop
+    Header set Cross-Origin-Opener-Policy "same-origin"
+
+    # HTTP Cross-Origin-Resource-Policy (CORP) header
+    #    - WHATWG Specification             https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
+    #    - MDN documenation                 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
+    #    - Chrome documenation              https://web.dev/security-headers/#corp
+    #    - Consider deploying CORP          https://resourcepolicy.fyi
+    #    - Scott Helme blog post            https://scotthelme.co.uk/coop-and-coep/
+    #    - Pentesting guide                 https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#corp
+    Header set Cross-Origin-Resource-Policy "same-origin"
+
+    # HTTP Cross-Origin-Embedder-Policy (COEP) header
+    #    - WHATWG Specification             https://html.spec.whatwg.org/multipage/browsers.html#coep
+    #    - MDN documenation                 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
+    #    - Chrome documenation              https://web.dev/security-headers/#coep
+    #    - Chrome documenation              https://web.dev/coop-coep/
+    #    - Scott Helme blog post            https://scotthelme.co.uk/coop-and-coep/
+    #    - Pentesting guide                 https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#coep
+    Header set Cross-Origin-Embedder-Policy "require-corp"
+
+</IfModule>
+############################################################################################################