Blame - include/security_headers.hpp - openbmc/bmcweb

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

1

#pragma once

2

Ed Tanous

3ccb3ad

2023-01-13 17:40:03 -0800

[diff] [blame]

3

#include "bmcweb_config.h"

Ed Tanous

2205bbf

2021-06-17 13:33:47 -0700

[diff] [blame]

4

Ed Tanous

3ccb3ad

2023-01-13 17:40:03 -0800

[diff] [blame]

5

#include "http_request.hpp"

6

#include "http_response.hpp"

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

7

Ed Tanous

0260d9d

2021-02-07 19:31:07 +0000

[diff] [blame]

8

inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],

9

crow::Response& res)

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

10

{

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

11

using bf = boost::beast::http::field;

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

12

Joseph Reynolds

1d9502b

2023-05-12 10:47:30 -0500

[diff] [blame]

13

// Recommendations from https://owasp.org/www-project-secure-headers/

14

// https://owasp.org/www-project-secure-headers/ci/headers_add.json

Ed Tanous

d8139c6

2023-06-14 17:11:47 -0700

[diff] [blame]

15

res.addHeader(bf::strict_transport_security, "max-age=31536000; "

16

"includeSubdomains");

Ed Tanous

d8139c6

2023-06-14 17:11:47 -0700

[diff] [blame]

17

18

res.addHeader(bf::pragma, "no-cache");

Ed Tanous

d8139c6

2023-06-14 17:11:47 -0700

[diff] [blame]

19

Ed Tanous

499b5b4

2024-04-06 08:39:18 -0700

[diff] [blame^]

20

if (res.getHeaderValue(bf::cache_control).empty())

21

{

22

res.addHeader(bf::cache_control, "no-store, max-age=0");

23

}

Ed Tanous

d8139c6

2023-06-14 17:11:47 -0700

[diff] [blame]

24

res.addHeader("X-Content-Type-Options", "nosniff");

25

Ed Tanous

c056aa7

2024-04-14 09:57:09 -0700

[diff] [blame]

26

std::string_view contentType = res.getHeaderValue("Content-Type");

27

if (contentType.starts_with("text/html"))

Ed Tanous

0260d9d

2021-02-07 19:31:07 +0000

[diff] [blame]

28

{

Ed Tanous

c056aa7

2024-04-14 09:57:09 -0700

[diff] [blame]

29

res.addHeader(bf::x_frame_options, "DENY");

30

res.addHeader("Referrer-Policy", "no-referrer");

31

res.addHeader("Permissions-Policy", "accelerometer=(),"

32

"ambient-light-sensor=(),"

"autoplay=(),"

"battery=(),"

"camera=(),"

"display-capture=(),"

37

"document-domain=(),"

38

"encrypted-media=(),"

"fullscreen=(),"

"gamepad=(),"

"geolocation=(),"

"gyroscope=(),"

"layout-animations=(self),"

44

"legacy-image-formats=(self),"

"magnetometer=(),"

"microphone=(),"

"midi=(),"

"oversized-images=(self),"

49

"payment=(),"

50

"picture-in-picture=(),"

51

"publickey-credentials-get=(),"

52

"speaker-selection=(),"

53

"sync-xhr=(self),"

54

"unoptimized-images=(self),"

55

"unsized-media=(self),"

56

"usb=(),"

57

"screen-wak-lock=(),"

58

"web-share=(),"

59

"xr-spatial-tracking=()");

60

res.addHeader("X-Permitted-Cross-Domain-Policies", "none");

61

res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");

62

res.addHeader("Cross-Origin-Opener-Policy", "same-origin");

63

res.addHeader("Cross-Origin-Resource-Policy", "same-origin");

Ed Tanous

788fe74

2024-04-22 12:41:06 -0700

[diff] [blame]

64

res.addHeader("Content-Security-Policy", "default-src 'none'; "

65

"img-src 'self' data:; "

66

"font-src 'self'; "

67

"style-src 'self'; "

68

"script-src 'self'; "

69

"connect-src 'self' wss:; "

70

"form-action 'none'; "

71

"frame-ancestors 'none'; "

72

"object-src 'none'; "

73

"base-uri 'none' ");

74

// The KVM currently needs to load images from base64 encoded

75

// strings. img-src 'self' data: is used to allow that.

76

// https://stackoverflow.com/questions/18447970/content-security-polic

77

// y-data-not-working-for-base64-images-in-chrome-28

Ed Tanous

0260d9d

2021-02-07 19:31:07 +0000

[diff] [blame]

78

}

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

79

}