Adds tests for security response headers in serverless (#160619)

Closes #159833

## Summary
Adds tests to verify the default serverless security response headers
are present in API and redirect responses.

- Adds
`x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts`
- Modifies CODEOWNERS to designate `elastic/kibana-security` as the
owner of these tests

.github/CODEOWNERS

@@ -963,6 +963,9 @@ x-pack/plugins/infra/server/lib/alerting @elastic/actionable-observability
 #CC# /src/plugins/newsfeed @elastic/kibana-core
 #CC# /x-pack/plugins/global_search_providers/ @elastic/kibana-core
 
+# AppEx Platform Services Security
+x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts  @elastic/kibana-security
+
 # Kibana Telemetry
 /.telemetryrc.json @elastic/kibana-core
 /x-pack/.telemetryrc.json @elastic/kibana-core

x-pack/test_serverless/api_integration/test_suites/common/index.ts

@@ -11,5 +11,6 @@ export default function ({ loadTestFile }: FtrProviderContext) {
   describe('serverless common API', function () {
     loadTestFile(require.resolve('./security_users'));
     loadTestFile(require.resolve('./spaces'));
+    loadTestFile(require.resolve('./security_response_headers'));
   });
 }

x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts

@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from 'expect';
+import { FtrProviderContext } from '../../ftr_provider_context';
+
+export default function ({ getService }: FtrProviderContext) {
+  const svlCommonApi = getService('svlCommonApi');
+  const supertest = getService('supertest');
+
+  describe('security response headers', function () {
+    const defaultCSP = `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'; frame-ancestors 'self'`;
+    const defaultCOOP = 'same-origin';
+    const defaultPermissionsPolicy =
+      'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()';
+    const defaultStrictTransportSecurity = 'max-age=31536000; includeSubDomains';
+    const defaultReferrerPolicy = 'no-referrer-when-downgrade';
+    const defaultXContentTypeOptions = 'nosniff';
+    const defaultXFrameOptions = 'SAMEORIGIN';
+
+    it('API endpoint response contains default security headers', async () => {
+      const { header } = await supertest
+        .get(`/internal/security/me`)
+        .set(svlCommonApi.getCommonRequestHeader())
+        .expect(200);
+
+      expect(header).toBeDefined();
+      expect(header['content-security-policy']).toEqual(defaultCSP);
+      expect(header['cross-origin-opener-policy']).toEqual(defaultCOOP);
+      expect(header['permissions-policy']).toEqual(defaultPermissionsPolicy);
+      expect(header['strict-transport-security']).toEqual(defaultStrictTransportSecurity);
+      expect(header['referrer-policy']).toEqual(defaultReferrerPolicy);
+      expect(header['x-content-type-options']).toEqual(defaultXContentTypeOptions);
+      expect(header['x-frame-options']).toEqual(defaultXFrameOptions);
+    });
+
+    it('redirect endpoint response contains default security headers', async () => {
+      const { header } = await supertest
+        .get(`/login`)
+        .set(svlCommonApi.getCommonRequestHeader())
+        .expect(302);
+
+      expect(header).toBeDefined();
+      expect(header['content-security-policy']).toEqual(defaultCSP);
+      expect(header['cross-origin-opener-policy']).toEqual(defaultCOOP);
+      expect(header['permissions-policy']).toEqual(defaultPermissionsPolicy);
+      expect(header['strict-transport-security']).toEqual(defaultStrictTransportSecurity);
+      expect(header['referrer-policy']).toEqual(defaultReferrerPolicy);
+      expect(header['x-content-type-options']).toEqual(defaultXContentTypeOptions);
+      expect(header['x-frame-options']).toEqual(defaultXFrameOptions);
+    });
+  });
+}