commit 9140a674ac06c3d40e78557b69cba8e5d2b6c72a
author Ed Tanous <ed.tanous@intel.com> Mon Apr 24 17:01:32 2017 -0700
committer Ed Tanous <ed.tanous@intel.com> Mon Apr 24 17:01:32 2017 -0700
tree ce14759e7b3f82ab6bb3a2c82b06617620fb1d8b
parent 01250f2a144846b493cf5cf8f5311b1bf3fe6c19

incremental

src/security_headers_middleware.cpp

diff --git a/src/security_headers_middleware.cpp b/src/security_headers_middleware.cpp
index bcaa87d..265cda7 100644
--- a/src/security_headers_middleware.cpp
+++ b/src/security_headers_middleware.cpp
@@ -2,19 +2,38 @@
 
 namespace crow {
 
+static const std::string strict_transport_security_key =
+    "Strict-Transport-Security";
+static const std::string strict_transport_security_value =
+    "max-age=31536000; includeSubdomains; preload";
+
+static const std::string ua_compatability_key = "X-UA-Compatible";
+static const std::string ua_compatability_value = "IE=11";
+
+static const std::string xframe_key = "X-Frame-Options";
+static const std::string xframe_value = "DENY";
+
+static const std::string xss_key = "X-XSS-Protection";
+static const std::string xss_value = "1; mode=block";
+
+static const std::string content_security_key = "X-Content-Security-Policy";
+static const std::string content_security_value = "default-src 'self'";
+
 void SecurityHeadersMiddleware::before_handle(crow::request& req, response& res,
                                               context& ctx) {}
 
 void SecurityHeadersMiddleware::after_handle(request& /*req*/, response& res,
                                              context& ctx) {
-  // TODO(ed) these should really check content types.  for example, X-UA-Compatible
-  // header doesn't make sense when retrieving a JSON or javascript file.  It doesn't
-  // hurt anything, it's just ugly.
-  res.set_header("Strict-Transport-Security",
-                 "max-age=31536000; includeSubdomains; preload");
-  res.set_header("X-UA-Compatible", "IE=11");
-  res.set_header("X-Frame-Options", "DENY");
-  res.set_header("X-XSS-Protection", "1; mode=block");
-  res.set_header("X-Content-Security-Policy", "default-src 'self'");
+  /*
+   TODO(ed) these should really check content types.  for example,
+   X-UA-Compatible header doesn't make sense when retrieving a JSON or
+   javascript file.  It doesn't hurt anything, it's just ugly.
+   */
+  res.add_header(strict_transport_security_key,
+                 strict_transport_security_value);
+  res.add_header(ua_compatability_key, ua_compatability_value);
+  res.add_header(xframe_key, xframe_value);
+  res.add_header(xss_key, xss_value);
+  res.add_header(content_security_key, content_security_value);
 }
 }