Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / da7f41eaa8e20bef9d866c2e95042227249b2528 / . / include / security_headers_middleware.hpp
blob: 872f4aa65382976de592730b29118d7f675e0837 [file] [log] [blame]
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]1#pragma once
2
3#include <crow/http_request.h>
4#include <crow/http_response.h>
5
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]6namespace crow
7{
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]8struct SecurityHeadersMiddleware
9{
10 struct Context
11 {
12 };
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]13
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]14 void beforeHandle(crow::Request& req, Response& res, Context& ctx)
15 {
Ed Tanousfd828ba2018-08-09 10:58:08 -0700[diff] [blame]16#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]17 if ("OPTIONS"_method == req.method())
18 {
19 res.end();
20 }
21#endif
Ed Tanousfd828ba2018-08-09 10:58:08 -0700[diff] [blame]22 }
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]23
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]24 void afterHandle(Request& req, Response& res, Context& ctx)
25 {
26 /*
27 TODO(ed) these should really check content types. for example,
28 X-UA-Compatible header doesn't make sense when retrieving a JSON or
29 javascript file. It doesn't hurt anything, it's just ugly.
30 */
Ed Tanous750ceae2018-11-30 15:02:22 -0800[diff] [blame]31 using bf = boost::beast::http::field;
32 res.addHeader(bf::strict_transport_security, "max-age=31536000; "
33 "includeSubdomains; "
34 "preload");
35 res.addHeader(bf::x_frame_options, "DENY");
36
37 res.addHeader(bf::pragma, "no-cache");
38 res.addHeader(bf::cache_control, "no-Store,no-Cache");
39 res.addHeader("X-Content-Security-Policy", "default-src 'self'");
40 res.addHeader("X-XSS-Protection", "1; "
41 "mode=block");
42 res.addHeader("X-UA-Compatible", "IE=11");
Ed Tanousfd828ba2018-08-09 10:58:08 -0700[diff] [blame]43
44#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
45
Ed Tanous750ceae2018-11-30 15:02:22 -0800[diff] [blame]46 res.addHeader(bf::access_control_allow_origin, "http://localhost:8080");
47 res.addHeader(bf::access_control_allow_methods, "GET, "
48 "POST, "
49 "PUT, "
Ed Tanousda7f41e2018-12-10 13:36:40 -0800[diff] [blame^]50 "PATCH, "
51 "DELETE");
Ed Tanous750ceae2018-11-30 15:02:22 -0800[diff] [blame]52 res.addHeader(bf::access_control_allow_credentials, "true");
53 res.addHeader(bf::access_control_allow_headers, "Origin, "
54 "Content-Type, "
55 "Accept, "
56 "Cookie, "
57 "X-XSRF-TOKEN");
Ed Tanousfd828ba2018-08-09 10:58:08 -0700[diff] [blame]58
59#endif
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]60 }
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]61};
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]62} // namespace crow