Update to owasp headers
Change the Cache-Control header to what owasp recommends.
Remove the X-XSS-Protection. This has been removed from Chrome, and is
unimplemented in other browsers[1].
Add:
X-Permitted-Cross-Domain-Policies
Clear-Site-Data
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
And set them to the OWASP recommended values.
Tested: The OWASP Venom test suite now passes more tests.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Change-Id: I2860041c1037f47bb85a6444cec66960d0aa55f9
Signed-off-by: Ed Tanous <edtanous@google.com>
diff --git a/include/login_routes.hpp b/include/login_routes.hpp
index f2e9589..482b613 100644
--- a/include/login_routes.hpp
+++ b/include/login_routes.hpp
@@ -235,7 +235,8 @@
"SESSION="
"; SameSite=Strict; Secure; HttpOnly; "
"expires=Thu, 01 Jan 1970 00:00:00 GMT");
-
+ asyncResp->res.addHeader("Clear-Site-Data",
+ R"("cache","cookies","storage")");
persistent_data::SessionStore::getInstance().removeSession(session);
}
});
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index d99729f..9615f65 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -10,65 +10,58 @@
{
/*
TODO(ed) these should really check content types. for example,
- X-UA-Compatible header doesn't make sense when retrieving a JSON or
+ X-Content-Type-Options header doesn't make sense when retrieving a JSON or
javascript file. It doesn't hurt anything, it's just ugly.
*/
using bf = boost::beast::http::field;
- res.addHeader(bf::strict_transport_security, "max-age=31536000; "
- "includeSubdomains; "
- "preload");
- res.addHeader(bf::x_frame_options, "DENY");
-
- res.addHeader(bf::pragma, "no-cache");
- res.addHeader(bf::cache_control, "no-Store,no-Cache");
-
- res.addHeader("X-XSS-Protection", "1; "
- "mode=block");
- res.addHeader("X-Content-Type-Options", "nosniff");
// Recommendations from https://owasp.org/www-project-secure-headers/
// https://owasp.org/www-project-secure-headers/ci/headers_add.json
+ res.addHeader(bf::strict_transport_security, "max-age=31536000; "
+ "includeSubdomains");
+ res.addHeader(bf::x_frame_options, "DENY");
+
+ res.addHeader(bf::pragma, "no-cache");
+ res.addHeader(bf::cache_control, "no-store, max-age=0");
+
+ res.addHeader("X-Content-Type-Options", "nosniff");
+
res.addHeader("Referrer-Policy", "no-referrer");
- res.addHeader("Permissions-Policy", "accelerometer=(), "
- "ambient-light-sensor=(), "
- "autoplay=(), "
- "battery=(), "
- "bluetooth=(), "
- "camera=(), "
- "ch-ua=(), "
- "ch-ua-arch=(), "
- "ch-ua-bitness=(), "
- "ch-ua-full-version=(), "
- "ch-ua-full-version-list=(), "
- "ch-ua-mobile=(), "
- "ch-ua-model=(), "
- "ch-ua-platform=(), "
- "ch-ua-platform-version=(), "
- "ch-ua-wow64=(), "
- "cross-origin-isolated=(), "
- "display-capture=(), "
- "encrypted-media=(), "
- "execution-while-not-rendered=(), "
- "execution-while-out-of-viewport=(), "
- "fullscreen=(), "
- "geolocation=(), "
- "gyroscope=(), "
- "hid=(), "
- "idle-detection=(), "
- "keyboard-map=(), "
- "magnetometer=(), "
- "microphone=(), "
- "midi=(), "
- "navigation-override=(), "
- "payment=(), "
- "picture-in-picture=(), "
- "publickey-credentials-get=(), "
- "screen-wake-lock=(), "
- "serial=(), "
- "sync-xhr=(), "
- "usb=(self), "
- "web-share=(), "
- "xr-spatial-tracking2=()");
+ res.addHeader("Permissions-Policy", "accelerometer=(),"
+ "ambient-light-sensor=(),"
+ "autoplay=(),"
+ "battery=(),"
+ "camera=(),"
+ "display-capture=(),"
+ "document-domain=(),"
+ "encrypted-media=(),"
+ "fullscreen=(),"
+ "gamepad=(),"
+ "geolocation=(),"
+ "gyroscope=(),"
+ "layout-animations=(self),"
+ "legacy-image-formats=(self),"
+ "magnetometer=(),"
+ "microphone=(),"
+ "midi=(),"
+ "oversized-images=(self),"
+ "payment=(),"
+ "picture-in-picture=(),"
+ "publickey-credentials-get=(),"
+ "speaker-selection=()"
+ "sync-xhr=(self),"
+ "unoptimized-images=(self),"
+ "unsized-media=(self),"
+ "usb=(),"
+ "screen-wak-lock=(),"
+ "web-share=(),"
+ "xr-spatial-tracking=()");
+
+ res.addHeader("X-Permitted-Cross-Domain-Policies", "none");
+
+ res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");
+ res.addHeader("Cross-Origin-Opener-Policy", "same-origin");
+ res.addHeader("Cross-Origin-Resource-Policy", "same-origin");
if (bmcwebInsecureDisableXssPrevention == 0)
{