Remove middlewares
Middlewares, while kinda cool from an academic standpoint, make our
build times even worse than they already are. Given that we only really
use 1 real middleware today (token auth) and it needs to move into the
parser mode anyway (for security limiting buffer sizes), we might as well
use this as an opportunity to delete some code.
Some other things that happen:
1. Persistent data now moves out of the crow namespace
2. App is no longer a template
3. All request_routes implementations no longer become templates. This
should be a decent (unmeasured) win on compile times.
This commit was part of a commit previously called "various cleanups".
This separates ONLY the middleware deletion part of that.
Note, this also deletes about 400 lines of hard to understand code.
Change-Id: I4c19e25491a153a2aa2e4ef46fc797bcb5b3581a
Signed-off-by: Ed Tanous <ed@tanous.net>
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
new file mode 100644
index 0000000..cf845c1
--- /dev/null
+++ b/include/security_headers.hpp
@@ -0,0 +1,61 @@
+#pragma once
+
+#include <http_response.h>
+
+inline void addSecurityHeaders(crow::Response& res)
+{
+ /*
+ TODO(ed) these should really check content types. for example,
+ X-UA-Compatible header doesn't make sense when retrieving a JSON or
+ javascript file. It doesn't hurt anything, it's just ugly.
+ */
+ using bf = boost::beast::http::field;
+ res.addHeader(bf::strict_transport_security, "max-age=31536000; "
+ "includeSubdomains; "
+ "preload");
+ res.addHeader(bf::x_frame_options, "DENY");
+
+ res.addHeader(bf::pragma, "no-cache");
+ res.addHeader(bf::cache_control, "no-Store,no-Cache");
+
+ res.addHeader("X-XSS-Protection", "1; "
+ "mode=block");
+ res.addHeader("X-Content-Type-Options", "nosniff");
+
+#ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
+ res.addHeader("Content-Security-Policy", "default-src 'none'; "
+ "img-src 'self' data:; "
+ "font-src 'self'; "
+ "style-src 'self'; "
+ "script-src 'self'; "
+ "connect-src 'self' wss:");
+ // The KVM currently needs to load images from base64 encoded
+ // strings. img-src 'self' data: is used to allow that.
+ // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
+
+#else
+ // If XSS is disabled, we need to allow loading from addresses other
+ // than self, as the BMC will be hosted elsewhere.
+ res.addHeader("Content-Security-Policy", "default-src 'none'; "
+ "img-src *; "
+ "font-src *; "
+ "style-src *; "
+ "script-src *; "
+ "connect-src *");
+
+ const std::string_view origin = req.getHeaderValue("Origin");
+ res.addHeader(bf::access_control_allow_origin, origin);
+ res.addHeader(bf::access_control_allow_methods, "GET, "
+ "POST, "
+ "PUT, "
+ "PATCH, "
+ "DELETE");
+ res.addHeader(bf::access_control_allow_credentials, "true");
+ res.addHeader(bf::access_control_allow_headers, "Origin, "
+ "Content-Type, "
+ "Accept, "
+ "Cookie, "
+ "X-XSRF-TOKEN");
+
+#endif
+}