security: address gosec findings and improve HTTP security headers

[0xaboomar]

This PR improves the security posture of the application by addressing issues found through static and dynamic analysis.

Changes

• Ran static code analysis with Gosec and resolved all reported severity findings.
• Performed a passive scan with OWASP ZAP:
  • No high-severity issues were found.
  • Three low-severity issues were detected and fixed by adding security-related HTTP headers.
• Ran a full active scan with OWASP ZAP:
  • No issues were found.

Outcome

• Code now passes Gosec static analysis with all severities resolved.
• OWASP ZAP scans (passive + active) report no remaining vulnerabilities.
• Application now sets stronger security headers for safer HTTP responses.

[coveralls]

coverage: 49.179% (+1.3%) from 47.869%
when pulling c94416b on Abo-Omar-74:security
into 5d23b6f on OneBusAway:main.

[Copilot]

Pull Request Overview

This PR improves application security by addressing static analysis findings from Gosec and adding HTTP security headers based on OWASP ZAP recommendations.

• Static analysis issues resolved by adding #nosec comments with explanations for safe operations in test code
• Security middleware added to set standard HTTP security headers like CSP, XSS protection, and cache control
• Unused code removed from cache and utility modules to reduce attack surface

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
internal/middleware/security_middleware.go	New security middleware applying HTTP headers for vulnerability mitigation
internal/config/config_loader.go	File path validation added to prevent path traversal attacks
internal/config/backoff_time_store.go	New backoff mechanism with jitter using non-cryptographic randomness
internal/app/routes.go	Security middleware integration into request handling chain
internal/app/handlers.go	Error handling improvement in health check response encoding
internal/metrics/test_helpers.go	Gosec suppressions added for safe test file operations
internal/gtfs/test_helpers.go	Gosec suppressions added for safe test file operations
internal/config/config_loader_test.go	Test refactoring to use secure temporary file creation
internal/utils/*	Removed unused cache utilities and custom time handling
internal/gtfs/gtfs_bundles.go	Removed unused GTFS parsing function

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[aaronbrethorst]

🔥 go go go!