(GONRG-1759) Fix Security response headers issue

Issue

Testing team reported "VULN-05 HSTS and CSP not implemented properly".

The report is attached to the GONRG-1637: [^API security testing report _Trajectory.pdf].

They say "The HSTS and CSP headers are not implemented. A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate".

Reported contexts: STORAGE, DELIVERY

Replay and analysis

Debugged Search service API:

curl --location --request POST 'https://os-search-attcrcktoa-uc.a.run.app/api/search/v2/query' \
--header 'Authorization: Bearer <token>' \
--header 'data-partition-id: osdu' \
--header 'Content-Type: application/json' \
--data-raw '{
   "kind": "osdu:osdu:*:0.2.0",
   "query": "BIR*"
}'

• Noticed security headers (Strict-Transport-Security, Content-Security-Policy etc.) absence in responses
• Analyzed Search service Java code
  • not found any "active" code for setting security headers on Responses
  • found the inactivated class "org.opengroup.osdu.search.middleware.CorrelationIDRequestFilter" designed to set needed headers
    • the class is inactivated by the commented "@Component" annotation
  • CorrelationIDRequestFilter component should be reviewed, actualized and reactivated
    • see the similar functionality code we have in Storage service: GONRG-1756

Type of change

• Bug Fix
• Feature

Does this introduce a change in the core logic?

• [YES]

Does this introduce a change in the cloud provider implementation, if so which cloud?

• AWS
• Azure
• GCP
• IBM

Does this introduce a breaking change?

• [NO]

Have you added/updated Unit Tests and Integration Tests?

• [NO]