[Enhancement] Allow dynamic configuration of secure headers

[timo-reymann]

As discussed in #259 Lychee already provides support for custom JavaScript, which makes it possible to add e.g. matomo tracking.

The only problem left is the fact that the security headers prevent loading an external javascript file.

For this use case, it would be enough to add an env var default for securure-headers/script-src/allow[]

I would be more than happy to create a PR for that, but there are a few questions to this from my side:

• Are there any other values that would be benefital to make them configurable?
• What should the env var look like to keep it consistent with other env vars for config (my suggestion would be: SECURE_HEADERS__SCRIPT_SRC_ALLOW)

If thats implemented, would it be also an option to make it part of the documentation? E. g. small section "How to integrate Matomo, Google Analytics". Can also provide the content for that :)

[ildyria]

About SECURE_HEADERS__SCRIPT_SRC_ALLOW I would avoid the double _.

We can also give a shoot yourself in the foot setting (not necessarily documented though):
SECURE_HEADERS_ENABLED (which is obviously defaulted to true) for this one:

Lychee/config/secure-headers.php

Line 320 in 1a0b831

'enable' => ((bool) env('DEBUGBAR_ENABLED', false)) === false,

-		'enable' => ((bool) env('DEBUGBAR_ENABLED', false)) === false,
+		'enable' => ((bool) env('SECURE_HEADERS_ENABLED', true)) === true && ((bool) env('DEBUGBAR_ENABLED', false)) === false,

---

If thats implemented, would it be also an option to make it part of the documentation? E. g. small section "How to integrate Matomo, Google Analytics". Can also provide the content for that :)

We would happily integrate those too here: https://github.com/LycheeOrg/LycheeOrg.github.io
Additionally, that setting must be made available in .env.example