commit 911ac31759cb7b77a856af8806b4e064d50d7422
author Ed Tanous <ed.tanous@intel.com> Tue Aug 15 09:37:42 2017 -0700
committer Ed Tanous <ed.tanous@intel.com> Wed Oct 11 13:34:56 2017 -0700
tree c4b714fabb2b956936ab6dffc18d9ff418756cf4
parent 8f0c0481d2280919b38a31656ba21a4347d12620

Large updates to webserver

Do not merge yet

Change-Id: I38c56844c1b0e3e8e5493c2705e62e6db7ee2102

include/security_headers_middleware.hpp

diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index 19644f4..e12395a 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp
@@ -4,34 +4,28 @@
 #include <crow/http_response.h>
 
 namespace crow {
-static const std::string strict_transport_security_key =
-    "Strict-Transport-Security";
-static const std::string strict_transport_security_value =
+static const char* strict_transport_security_key = "Strict-Transport-Security";
+static const char* strict_transport_security_value =
     "max-age=31536000; includeSubdomains; preload";
 
-static const std::string ua_compatability_key = "X-UA-Compatible";
-static const std::string ua_compatability_value = "IE=11";
+static const char* ua_compatability_key = "X-UA-Compatible";
+static const char* ua_compatability_value = "IE=11";
 
-static const std::string xframe_key = "X-Frame-Options";
-static const std::string xframe_value = "DENY";
+static const char* xframe_key = "X-Frame-Options";
+static const char* xframe_value = "DENY";
 
-static const std::string xss_key = "X-XSS-Protection";
-static const std::string xss_value = "1; mode=block";
+static const char* xss_key = "X-XSS-Protection";
+static const char* xss_value = "1; mode=block";
 
-static const std::string content_security_key = "X-Content-Security-Policy";
-static const std::string content_security_value = "default-src 'self'";
-
+static const char* content_security_key = "X-Content-Security-Policy";
+static const char* content_security_value = "default-src 'self'";
 
 struct SecurityHeadersMiddleware {
   struct context {};
 
-  void before_handle(crow::request& req,
-                                                       response& res,
-                                                       context& ctx) {}
+  void before_handle(crow::request& req, response& res, context& ctx) {}
 
-  void after_handle(request& /*req*/,
-                                                      response& res,
-                                                      context& ctx) {
+  void after_handle(request& req, response& res, context& ctx) {
     /*
      TODO(ed) these should really check content types.  for example,
      X-UA-Compatible header doesn't make sense when retrieving a JSON or
@@ -43,6 +37,8 @@
     res.add_header(xframe_key, xframe_value);
     res.add_header(xss_key, xss_value);
     res.add_header(content_security_key, content_security_value);
+    res.add_header("Access-Control-Allow-Origin", "http://localhost:8085");
+    res.add_header("Access-Control-Allow-Credentials", "true");
   }
 };
-}
\ No newline at end of file
+}  // namespace crow