Add headers Referrer-Policy and Permissions-Policy
This adds HTTP response headers Referrer-Policy and Permissions-Policy per
OWASP guidelines, with some appropriate values for BMCWeb.
https://owasp.org/www-project-secure-headers/
Policies are given for all standardized feature. Most features are disabled
except for the following which the web application uses: usb=(self).
Tested: Yes
Via curl, confirmed headers are present.
On selected browsers, opened browser tools and confirmed browsers didn't
complain about the new headers. Browsers checked were:
- Firefox 111.0.1 (64-bit)
- Safari Version 16.4 (18615.1.26.11.23)
Did not test access to features secured by the Permissions-Policy.
Did not test if the web application features still work.
Change-Id: I65f89d2959b0b1338c20d7222229fbdc1d720834
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index 9877bb0..d99729f 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -26,6 +26,50 @@
"mode=block");
res.addHeader("X-Content-Type-Options", "nosniff");
+ // Recommendations from https://owasp.org/www-project-secure-headers/
+ // https://owasp.org/www-project-secure-headers/ci/headers_add.json
+ res.addHeader("Referrer-Policy", "no-referrer");
+ res.addHeader("Permissions-Policy", "accelerometer=(), "
+ "ambient-light-sensor=(), "
+ "autoplay=(), "
+ "battery=(), "
+ "bluetooth=(), "
+ "camera=(), "
+ "ch-ua=(), "
+ "ch-ua-arch=(), "
+ "ch-ua-bitness=(), "
+ "ch-ua-full-version=(), "
+ "ch-ua-full-version-list=(), "
+ "ch-ua-mobile=(), "
+ "ch-ua-model=(), "
+ "ch-ua-platform=(), "
+ "ch-ua-platform-version=(), "
+ "ch-ua-wow64=(), "
+ "cross-origin-isolated=(), "
+ "display-capture=(), "
+ "encrypted-media=(), "
+ "execution-while-not-rendered=(), "
+ "execution-while-out-of-viewport=(), "
+ "fullscreen=(), "
+ "geolocation=(), "
+ "gyroscope=(), "
+ "hid=(), "
+ "idle-detection=(), "
+ "keyboard-map=(), "
+ "magnetometer=(), "
+ "microphone=(), "
+ "midi=(), "
+ "navigation-override=(), "
+ "payment=(), "
+ "picture-in-picture=(), "
+ "publickey-credentials-get=(), "
+ "screen-wake-lock=(), "
+ "serial=(), "
+ "sync-xhr=(), "
+ "usb=(self), "
+ "web-share=(), "
+ "xr-spatial-tracking2=()");
+
if (bmcwebInsecureDisableXssPrevention == 0)
{
res.addHeader("Content-Security-Policy", "default-src 'none'; "