Update to owasp headers

Change the Cache-Control header to what owasp recommends.
Remove the X-XSS-Protection.  This has been removed from Chrome, and is
unimplemented in other browsers[1].

Add:
X-Permitted-Cross-Domain-Policies
Clear-Site-Data
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy

And set them to the OWASP recommended values.

Tested: The OWASP Venom test suite now passes more tests.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Change-Id: I2860041c1037f47bb85a6444cec66960d0aa55f9
Signed-off-by: Ed Tanous <edtanous@google.com>
diff --git a/include/login_routes.hpp b/include/login_routes.hpp
index f2e9589..482b613 100644
--- a/include/login_routes.hpp
+++ b/include/login_routes.hpp
@@ -235,7 +235,8 @@
                                      "SESSION="
                                      "; SameSite=Strict; Secure; HttpOnly; "
                                      "expires=Thu, 01 Jan 1970 00:00:00 GMT");
-
+            asyncResp->res.addHeader("Clear-Site-Data",
+                                     R"("cache","cookies","storage")");
             persistent_data::SessionStore::getInstance().removeSession(session);
         }
         });
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index d99729f..9615f65 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -10,65 +10,58 @@
 {
     /*
      TODO(ed) these should really check content types.  for example,
-     X-UA-Compatible header doesn't make sense when retrieving a JSON or
+     X-Content-Type-Options header doesn't make sense when retrieving a JSON or
      javascript file.  It doesn't hurt anything, it's just ugly.
      */
     using bf = boost::beast::http::field;
-    res.addHeader(bf::strict_transport_security, "max-age=31536000; "
-                                                 "includeSubdomains; "
-                                                 "preload");
-    res.addHeader(bf::x_frame_options, "DENY");
-
-    res.addHeader(bf::pragma, "no-cache");
-    res.addHeader(bf::cache_control, "no-Store,no-Cache");
-
-    res.addHeader("X-XSS-Protection", "1; "
-                                      "mode=block");
-    res.addHeader("X-Content-Type-Options", "nosniff");
 
     // Recommendations from https://owasp.org/www-project-secure-headers/
     // https://owasp.org/www-project-secure-headers/ci/headers_add.json
+    res.addHeader(bf::strict_transport_security, "max-age=31536000; "
+                                                 "includeSubdomains");
+    res.addHeader(bf::x_frame_options, "DENY");
+
+    res.addHeader(bf::pragma, "no-cache");
+    res.addHeader(bf::cache_control, "no-store, max-age=0");
+
+    res.addHeader("X-Content-Type-Options", "nosniff");
+
     res.addHeader("Referrer-Policy", "no-referrer");
-    res.addHeader("Permissions-Policy", "accelerometer=(), "
-                                        "ambient-light-sensor=(), "
-                                        "autoplay=(), "
-                                        "battery=(), "
-                                        "bluetooth=(), "
-                                        "camera=(), "
-                                        "ch-ua=(), "
-                                        "ch-ua-arch=(), "
-                                        "ch-ua-bitness=(), "
-                                        "ch-ua-full-version=(), "
-                                        "ch-ua-full-version-list=(), "
-                                        "ch-ua-mobile=(), "
-                                        "ch-ua-model=(), "
-                                        "ch-ua-platform=(), "
-                                        "ch-ua-platform-version=(), "
-                                        "ch-ua-wow64=(), "
-                                        "cross-origin-isolated=(), "
-                                        "display-capture=(), "
-                                        "encrypted-media=(), "
-                                        "execution-while-not-rendered=(), "
-                                        "execution-while-out-of-viewport=(), "
-                                        "fullscreen=(), "
-                                        "geolocation=(), "
-                                        "gyroscope=(), "
-                                        "hid=(), "
-                                        "idle-detection=(), "
-                                        "keyboard-map=(), "
-                                        "magnetometer=(), "
-                                        "microphone=(), "
-                                        "midi=(), "
-                                        "navigation-override=(), "
-                                        "payment=(), "
-                                        "picture-in-picture=(), "
-                                        "publickey-credentials-get=(), "
-                                        "screen-wake-lock=(), "
-                                        "serial=(), "
-                                        "sync-xhr=(), "
-                                        "usb=(self), "
-                                        "web-share=(), "
-                                        "xr-spatial-tracking2=()");
+    res.addHeader("Permissions-Policy", "accelerometer=(),"
+                                        "ambient-light-sensor=(),"
+                                        "autoplay=(),"
+                                        "battery=(),"
+                                        "camera=(),"
+                                        "display-capture=(),"
+                                        "document-domain=(),"
+                                        "encrypted-media=(),"
+                                        "fullscreen=(),"
+                                        "gamepad=(),"
+                                        "geolocation=(),"
+                                        "gyroscope=(),"
+                                        "layout-animations=(self),"
+                                        "legacy-image-formats=(self),"
+                                        "magnetometer=(),"
+                                        "microphone=(),"
+                                        "midi=(),"
+                                        "oversized-images=(self),"
+                                        "payment=(),"
+                                        "picture-in-picture=(),"
+                                        "publickey-credentials-get=(),"
+                                        "speaker-selection=()"
+                                        "sync-xhr=(self),"
+                                        "unoptimized-images=(self),"
+                                        "unsized-media=(self),"
+                                        "usb=(),"
+                                        "screen-wak-lock=(),"
+                                        "web-share=(),"
+                                        "xr-spatial-tracking=()");
+
+    res.addHeader("X-Permitted-Cross-Domain-Policies", "none");
+
+    res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");
+    res.addHeader("Cross-Origin-Opener-Policy", "same-origin");
+    res.addHeader("Cross-Origin-Resource-Policy", "same-origin");
 
     if (bmcwebInsecureDisableXssPrevention == 0)
     {