Checklist

• I have searched the existing issues for similar issues.
• I added a very descriptive title to this issue.
• I have provided sufficient information below to help reproduce this issue.

Summary

1. Missing HTTP Security Headers
While deploying the app using the streamlit, I've found that we can't configure the following HTTP security headers:
• Strict transport security
• X-Content type options
• X-Frame-Options
• Content Security Policy (CSP)

Security headers help an application to prevent many attacks like man in the middle attack (MiTM), cross site scripting (XSS), Clickjacking etc. These configurations are important to enhance the security features of the app.

2. Banner Disclosure
I also observed that the application's response headers disclose information about the server and its version. Specifically, the header reveals that the server is running "TornadoServer v6.4".

Disclosing server and version information can aid attackers in identifying vulnerabilities specific to the server software being used, thereby increasing the risk of targeted attacks.

Possible Solution
Just like other configurations for the app, these security settings can also be defined in config.toml file.

Reproducible Code Example

These security lapses are applicable accroess any of the Steamlit apps.

Steps To Reproduce

No response

Expected Behavior

No response

Current Behavior

No response

Is this a regression?

• Yes, this used to work in a previous version.

Debug info

• Streamlit version: 1.37
• Python version: 3.10
• Operating System: Windows 11
• Browser: Edge

Additional Information

No response