feature: secure form submissions extension point

[Dashue]

Description

There's been a need for some time to enable security around form submissions, this pr looks to address that.

Context

Functionality to allow downstream the ability to inject security measures as part of the form submission process

Changes

• Introduce a service responsible for owning the aspect of security (headers) when submitting forms
• Form submission process invokes the security service and passes on the resulting headers
• Documentation covering functionality and usage

Type of change

What is the type of change you are making?

• Chore or documentation (non-breaking change that does not add functionality)
• ADR (Architectural Decision Record, non-breaking change that documents or proposes a decision)
• Refactor (non-breaking change that improves code quality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

PR title

PR titles should be prefixed with the type of change you are making, based on the README.md#versioning.
This is so that when performing a squash merge, the PR title is automatically used as the commit message.

Have you updated the PR title to match the type of change you are making?

• Yes
• No, I need help or guidance

Testing

Automated tests

Have you added automated tests?

• Yes, unit or integration tests
• Yes, end-to-end (cypress) tests
• No, tests are not required for this change
• No, I need help or guidance
• No (explain why tests are not required or can't be added at this time)

Manual tests

Have you manually tested your changes?

• Yes
• No, manual tests are not required or sufficiently covered by automated tests

Have you attached an example form JSON or snippet for the reviewer in this PR?

• Yes
• No, any existing form can be used
• No, it is not required or not applicable

Steps to test

1. Implement some security logic
2. Verify security headers are being applied to form submission

Documentation

Have you updated the documentation?

• Yes, I have updated ./docs for this change since additional explanation or steps to use/configure the feature is required
• Yes, I have added or updated an ADR for this change since it is large, complex, or has significant architectural implications
• Yes, I have added inline comments for hard-to-understand areas
• No, I am not sure if documentation is required
• No, documentation is not required for this change

Discussion

Warning

Large or complex changes may require discussion with the maintainers before they can be merged. If it has not yet been discussed, it may delay the review process

Have you discussed this change with the maintainers?

• Yes, I have discussed this change with the maintainers on slack, email or via GitHub issues
• No, this change is an ADR to help kick-off discussion
• No, this change is small and does not require discussion
• No, I am not sure if one is required

[Dashue]

2 commits with second one only being typing improvement which can be separated out to it's own if preferred