| Ed Tanous | 8041f31 | 2017-04-03 09:47:01 -0700 | [diff] [blame] | 1 | #include <security_headers_middleware.hpp> |
| 2 | |
| 3 | namespace crow { |
| 4 | |
| 5 | void SecurityHeadersMiddleware::before_handle(crow::request& req, response& res, |
| 6 | context& ctx) {} |
| 7 | |
| 8 | void SecurityHeadersMiddleware::after_handle(request& /*req*/, response& res, |
| 9 | context& ctx) { |
| 10 | // TODO(ed) these should really check content types. for example, X-UA-Compatible |
| 11 | // header doesn't make sense when retrieving a JSON or javascript file. It doesn't |
| 12 | // hurt anything, it's just ugly. |
| 13 | res.set_header("Strict-Transport-Security", |
| 14 | "max-age=31536000; includeSubdomains; preload"); |
| 15 | res.set_header("X-UA-Compatible", "IE=11"); |
| 16 | res.set_header("X-Frame-Options", "DENY"); |
| 17 | res.set_header("X-XSS-Protection", "1; mode=block"); |
| 18 | res.set_header("X-Content-Security-Policy", "default-src 'self'"); |
| 19 | } |
| 20 | } |