Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 620ec59339a89fababa81d36bad71a9651f4299c / . / src / security_headers_middleware.cpp
blob: 265cda72a7ca6c9753df037db275e8e658e36af8 [file] [log] [blame]
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]1#include <security_headers_middleware.hpp>
2
3namespace crow {
4
Ed Tanous9140a672017-04-24 17:01:32 -0700[diff] [blame]5static const std::string strict_transport_security_key =
6 "Strict-Transport-Security";
7static const std::string strict_transport_security_value =
8 "max-age=31536000; includeSubdomains; preload";
9
10static const std::string ua_compatability_key = "X-UA-Compatible";
11static const std::string ua_compatability_value = "IE=11";
12
13static const std::string xframe_key = "X-Frame-Options";
14static const std::string xframe_value = "DENY";
15
16static const std::string xss_key = "X-XSS-Protection";
17static const std::string xss_value = "1; mode=block";
18
19static const std::string content_security_key = "X-Content-Security-Policy";
20static const std::string content_security_value = "default-src 'self'";
21
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]22void SecurityHeadersMiddleware::before_handle(crow::request& req, response& res,
23 context& ctx) {}
24
25void SecurityHeadersMiddleware::after_handle(request& /*req*/, response& res,
26 context& ctx) {
Ed Tanous9140a672017-04-24 17:01:32 -0700[diff] [blame]27 /*
28 TODO(ed) these should really check content types. for example,
29 X-UA-Compatible header doesn't make sense when retrieving a JSON or
30 javascript file. It doesn't hurt anything, it's just ugly.
31 */
32 res.add_header(strict_transport_security_key,
33 strict_transport_security_value);
34 res.add_header(ua_compatability_key, ua_compatability_value);
35 res.add_header(xframe_key, xframe_value);
36 res.add_header(xss_key, xss_value);
37 res.add_header(content_security_key, content_security_value);
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]38}
39}