bmcweb: Clean up security headers
Inline strings make this patchset easier to read, and idenfity where
we're adding headers. Also, in the cases where we're using common keys,
passing it by boost::beast::http::field helps us avoid some dict
lookups. These performance improvements are largely hypothetical, as it
would be unlikely we'd ever measure a real difference.
Change-Id: Ic931c4454a5f40c0d206bb4df09058f8f61fc0e2
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index 561fd81..4ef864b 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp
@@ -5,28 +5,6 @@
namespace crow
{
-static const char* strictTransportSecurityKey = "Strict-Transport-Security";
-static const char* strictTransportSecurityValue =
- "max-age=31536000; includeSubdomains; preload";
-
-static const char* uaCompatabilityKey = "X-UA-Compatible";
-static const char* uaCompatabilityValue = "IE=11";
-
-static const char* xframeKey = "X-Frame-Options";
-static const char* xframeValue = "DENY";
-
-static const char* xssKey = "X-XSS-Protection";
-static const char* xssValue = "1; mode=block";
-
-static const char* contentSecurityKey = "X-Content-Security-Policy";
-static const char* contentSecurityValue = "default-src 'self'";
-
-static const char* pragmaKey = "Pragma";
-static const char* pragmaValue = "no-cache";
-
-static const char* cacheControlKey = "Cache-Control";
-static const char* cacheControlValue = "no-Store,no-Cache";
-
struct SecurityHeadersMiddleware
{
struct Context
@@ -50,21 +28,32 @@
X-UA-Compatible header doesn't make sense when retrieving a JSON or
javascript file. It doesn't hurt anything, it's just ugly.
*/
- res.addHeader(strictTransportSecurityKey, strictTransportSecurityValue);
- res.addHeader(uaCompatabilityKey, uaCompatabilityValue);
- res.addHeader(xframeKey, xframeValue);
- res.addHeader(xssKey, xssValue);
- res.addHeader(contentSecurityKey, contentSecurityValue);
- res.addHeader(pragmaKey, pragmaValue);
- res.addHeader(cacheControlKey, cacheControlValue);
+ using bf = boost::beast::http::field;
+ res.addHeader(bf::strict_transport_security, "max-age=31536000; "
+ "includeSubdomains; "
+ "preload");
+ res.addHeader(bf::x_frame_options, "DENY");
+
+ res.addHeader(bf::pragma, "no-cache");
+ res.addHeader(bf::cache_control, "no-Store,no-Cache");
+ res.addHeader("X-Content-Security-Policy", "default-src 'self'");
+ res.addHeader("X-XSS-Protection", "1; "
+ "mode=block");
+ res.addHeader("X-UA-Compatible", "IE=11");
#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
- res.addHeader("Access-Control-Allow-Origin", "http://localhost:8080");
- res.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH");
- res.addHeader("Access-Control-Allow-Credentials", "true");
- res.addHeader("Access-Control-Allow-Headers",
- "Origin, Content-Type, Accept, Cookie, X-XSRF-TOKEN");
+ res.addHeader(bf::access_control_allow_origin, "http://localhost:8080");
+ res.addHeader(bf::access_control_allow_methods, "GET, "
+ "POST, "
+ "PUT, "
+ "PATCH");
+ res.addHeader(bf::access_control_allow_credentials, "true");
+ res.addHeader(bf::access_control_allow_headers, "Origin, "
+ "Content-Type, "
+ "Accept, "
+ "Cookie, "
+ "X-XSRF-TOKEN");
#endif
}