incremental

commit: 8041f31acacc8404f13b1302bf9030bc047cf452 [log] [tgz]
author: Ed Tanous <ed.tanous@intel.com> Mon Apr 03 09:47:01 2017 -0700
committer: Ed Tanous <ed.tanous@intel.com> Mon Apr 03 09:47:01 2017 -0700
tree: c80a1be66557106bd46b193ae3521b06bbc1875d
parent: b4d29f40923bd2d6af2666e10109469a9e557493 [diff] [blame]
diff --git a/src/security_headers_middleware.cpp b/src/security_headers_middleware.cpp
new file mode 100644
index 0000000..bcaa87d
--- /dev/null
+++ b/src/security_headers_middleware.cpp

@@ -0,0 +1,20 @@
+#include <security_headers_middleware.hpp>
+
+namespace crow {
+
+void SecurityHeadersMiddleware::before_handle(crow::request& req, response& res,
+                                              context& ctx) {}
+
+void SecurityHeadersMiddleware::after_handle(request& /*req*/, response& res,
+                                             context& ctx) {
+  // TODO(ed) these should really check content types.  for example, X-UA-Compatible
+  // header doesn't make sense when retrieving a JSON or javascript file.  It doesn't
+  // hurt anything, it's just ugly.
+  res.set_header("Strict-Transport-Security",
+                 "max-age=31536000; includeSubdomains; preload");
+  res.set_header("X-UA-Compatible", "IE=11");
+  res.set_header("X-Frame-Options", "DENY");
+  res.set_header("X-XSS-Protection", "1; mode=block");
+  res.set_header("X-Content-Security-Policy", "default-src 'self'");
+}
+}
commit	8041f31acacc8404f13b1302bf9030bc047cf452	[log] [tgz]
author	Ed Tanous <ed.tanous@intel.com>	Mon Apr 03 09:47:01 2017 -0700
committer	Ed Tanous <ed.tanous@intel.com>	Mon Apr 03 09:47:01 2017 -0700
tree	c80a1be66557106bd46b193ae3521b06bbc1875d
parent	b4d29f40923bd2d6af2666e10109469a9e557493 [diff] [blame]