include/security_headers_middleware.hpp

#pragma once

#include <crow/http_request.h>
#include <crow/http_response.h>

namespace crow {
static const char* strict_transport_security_key = "Strict-Transport-Security";
static const char* strict_transport_security_value =
    "max-age=31536000; includeSubdomains; preload";

static const char* ua_compatability_key = "X-UA-Compatible";
static const char* ua_compatability_value = "IE=11";

static const char* xframe_key = "X-Frame-Options";
static const char* xframe_value = "DENY";

static const char* xss_key = "X-XSS-Protection";
static const char* xss_value = "1; mode=block";

static const char* content_security_key = "X-Content-Security-Policy";
static const char* content_security_value = "default-src 'self'";

struct SecurityHeadersMiddleware {
  struct context {};

  void before_handle(crow::request& req, response& res, context& ctx) {}

  void after_handle(request& req, response& res, context& ctx) {
    /*
     TODO(ed) these should really check content types.  for example,
     X-UA-Compatible header doesn't make sense when retrieving a JSON or
     javascript file.  It doesn't hurt anything, it's just ugly.
     */
    res.add_header(strict_transport_security_key,
                   strict_transport_security_value);
    res.add_header(ua_compatability_key, ua_compatability_value);
    res.add_header(xframe_key, xframe_value);
    res.add_header(xss_key, xss_value);
    res.add_header(content_security_key, content_security_value);
    res.add_header("Access-Control-Allow-Origin", "http://localhost:8085");
    res.add_header("Access-Control-Allow-Credentials", "true");
  }
};
}  // namespace crow