Blame - include/security_headers.hpp - openbmc/bmcweb

2020-07-18 13:51:21 -0700

[diff] [blame]

1

#pragma once

2

Ed Tanous

3ccb3ad

2023-01-13 17:40:03 -0800

[diff] [blame]

3

#include "bmcweb_config.h"

Ed Tanous

2205bbf

2021-06-17 13:33:47 -0700

[diff] [blame]

4

Ed Tanous

3ccb3ad

2023-01-13 17:40:03 -0800

[diff] [blame]

5

#include "http_request.hpp"

6

#include "http_response.hpp"

Ed Tanous

2020-07-18 13:51:21 -0700

[diff] [blame]

7

Ed Tanous

2021-02-07 19:31:07 +0000

[diff] [blame]

8

inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],

9

crow::Response& res)

Ed Tanous

2020-07-18 13:51:21 -0700

[diff] [blame]

10

{

11

/*

12

TODO(ed) these should really check content types. for example,

Ed Tanous

2023-06-14 17:11:47 -0700

[diff] [blame]

13

X-Content-Type-Options header doesn't make sense when retrieving a JSON or

Ed Tanous

2020-07-18 13:51:21 -0700

[diff] [blame]

14

javascript file. It doesn't hurt anything, it's just ugly.

15

*/

16

using bf = boost::beast::http::field;

Ed Tanous

2020-07-18 13:51:21 -0700

[diff] [blame]

17

Joseph Reynolds

1d9502b

2023-05-12 10:47:30 -0500

[diff] [blame]

18

// Recommendations from https://owasp.org/www-project-secure-headers/

19

// https://owasp.org/www-project-secure-headers/ci/headers_add.json

Ed Tanous

2023-06-14 17:11:47 -0700

[diff] [blame]

20

res.addHeader(bf::strict_transport_security, "max-age=31536000; "

21

"includeSubdomains");

22

res.addHeader(bf::x_frame_options, "DENY");

23

24

res.addHeader(bf::pragma, "no-cache");

25

res.addHeader(bf::cache_control, "no-store, max-age=0");

26

27

res.addHeader("X-Content-Type-Options", "nosniff");

28

Joseph Reynolds

1d9502b

2023-05-12 10:47:30 -0500

[diff] [blame]

29

res.addHeader("Referrer-Policy", "no-referrer");

Ed Tanous

2023-06-14 17:11:47 -0700

[diff] [blame]

30

res.addHeader("Permissions-Policy", "accelerometer=(),"

31

"ambient-light-sensor=(),"

"autoplay=(),"

"battery=(),"

"camera=(),"

"display-capture=(),"

36

"document-domain=(),"

37

"encrypted-media=(),"

"fullscreen=(),"

"gamepad=(),"

"geolocation=(),"

"gyroscope=(),"

"layout-animations=(self),"

43

"legacy-image-formats=(self),"

"magnetometer=(),"

"microphone=(),"

"midi=(),"

"oversized-images=(self),"

48

"payment=(),"

49

"picture-in-picture=(),"

50

"publickey-credentials-get=(),"

Joseph Reynolds

9bdc8b5

2023-08-16 12:47:32 -0500

[diff] [blame]

51

"speaker-selection=(),"

Ed Tanous

2023-06-14 17:11:47 -0700

[diff] [blame]

52

"sync-xhr=(self),"

53

"unoptimized-images=(self),"

54

"unsized-media=(self),"

55

"usb=(),"

56

"screen-wak-lock=(),"

57

"web-share=(),"

58

"xr-spatial-tracking=()");

Ed Tanous

2023-06-14 17:11:47 -0700

[diff] [blame]

59

res.addHeader("X-Permitted-Cross-Domain-Policies", "none");

Ed Tanous

2023-06-14 17:11:47 -0700

[diff] [blame]

60

res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");

61

res.addHeader("Cross-Origin-Opener-Policy", "same-origin");

62

res.addHeader("Cross-Origin-Resource-Policy", "same-origin");

Ed Tanous

e662eae

2022-01-25 10:39:19 -0800

[diff] [blame]

63

if (bmcwebInsecureDisableXssPrevention == 0)

Ed Tanous

2021-02-07 19:31:07 +0000

[diff] [blame]

64

{

65

res.addHeader("Content-Security-Policy", "default-src 'none'; "

66

"img-src 'self' data:; "

67

"font-src 'self'; "

68

"style-src 'self'; "

69

"script-src 'self'; "

Basheer Ahmed Muddebihal

2021-03-17 00:55:57 -0700

[diff] [blame]

70

"connect-src 'self' wss:; "

71

"form-action 'none'; "

72

"frame-ancestors 'none'; "

Jiaqing Zhao

91ac2e5

2022-03-17 00:18:58 +0800

[diff] [blame]

73

"object-src 'none'; "

Basheer Ahmed Muddebihal

2021-03-17 00:55:57 -0700

[diff] [blame]

74

"base-uri 'none' ");

Ed Tanous

2021-02-07 19:31:07 +0000

[diff] [blame]

75

// The KVM currently needs to load images from base64 encoded

76

// strings. img-src 'self' data: is used to allow that.

Basheer Ahmed Muddebihal

2021-03-17 00:55:57 -0700

[diff] [blame]

77

// https://stackoverflow.com/questions/18447970/content-security-polic

78

// y-data-not-working-for-base64-images-in-chrome-28

Ed Tanous

2021-02-07 19:31:07 +0000

[diff] [blame]

}

else

{

// If XSS is disabled, we need to allow loading from addresses other

83

// than self, as the BMC will be hosted elsewhere.

84

res.addHeader("Content-Security-Policy", "default-src 'none'; "

"img-src *; "

"font-src *; "

"style-src *; "

"script-src *; "

Basheer Ahmed Muddebihal

2021-03-17 00:55:57 -0700

[diff] [blame]

89

"connect-src *; "

90

"form-action *; "

91

"frame-ancestors *; "

Jiaqing Zhao

91ac2e5

2022-03-17 00:18:58 +0800

[diff] [blame]

92

"object-src *; "

Basheer Ahmed Muddebihal

2021-03-17 00:55:57 -0700

[diff] [blame]

93

"base-uri *");

Ed Tanous

2020-07-18 13:51:21 -0700

[diff] [blame]

94

Ed Tanous

26ccae3

2023-02-16 10:28:44 -0800

[diff] [blame]

95

std::string_view origin = req.getHeaderValue("Origin");

Ed Tanous

2021-02-07 19:31:07 +0000

[diff] [blame]

96

res.addHeader(bf::access_control_allow_origin, origin);

97

res.addHeader(bf::access_control_allow_methods, "GET, "

"POST, "

"PUT, "

"PATCH, "

"DELETE");

res.addHeader(bf::access_control_allow_credentials, "true");

103

res.addHeader(bf::access_control_allow_headers, "Origin, "

"Content-Type, "

"Accept, "

"Cookie, "

"X-XSRF-TOKEN");

}

Ed Tanous