Add security headers to websockets
websocket connections are by definition temporal, and cannot be cached.
Unfortunately, certain security scanners don't see it that way, and flag
errors on lack of CSP, XSS, and Content-Type headers when giving a
websocket upgrade response.
This commit adds the:
Strict-Transport-Security
Pragma
Cache-Control
Content-security-policy
X-XSS-Protection
X-Content-Type-Options
Headers to the response when an upgrade occurs, to make the security
scanners happy.
Tested:
Opened the main application, obseved the /subscribe api.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: If76dc54f6501b3eb2caf44913d254a8b32d3fd30
diff --git a/crow/include/crow/websocket.h b/crow/include/crow/websocket.h
index f461477..301f394 100644
--- a/crow/include/crow/websocket.h
+++ b/crow/include/crow/websocket.h
@@ -73,8 +73,10 @@
{
BMCWEB_LOG_DEBUG << "starting connection " << this;
- std::string_view protocol = req.getHeaderValue(
- boost::beast::http::field::sec_websocket_protocol);
+ using bf = boost::beast::http::field;
+
+ std::string_view protocol =
+ req.getHeaderValue(bf::sec_websocket_protocol);
// Perform the websocket upgrade
ws.async_accept_ex(
@@ -83,9 +85,18 @@
boost::beast::websocket::response_type& m) {
if (!protocol.empty())
{
- m.insert(boost::beast::http::field::sec_websocket_protocol,
- protocol);
+ m.insert(bf::sec_websocket_protocol, protocol);
}
+
+ m.insert(bf::strict_transport_security, "max-age=31536000; "
+ "includeSubdomains; "
+ "preload");
+ m.insert(bf::pragma, "no-cache");
+ m.insert(bf::cache_control, "no-Store,no-Cache");
+ m.insert("Content-Security-Policy", "default-src 'self'");
+ m.insert("X-XSS-Protection", "1; "
+ "mode=block");
+ m.insert("X-Content-Type-Options", "nosniff");
},
[this, self(shared_from_this())](boost::system::error_code ec) {
if (ec)