Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 98df875b683ef4bc3b1be46300db67f35d11bac3 / . / include / security_headers.hpp
blob: c0855f439df65d0bc36993afb43871002af992d3 [file] [log] [blame]
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1#pragma once
2
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]3#include "bmcweb_config.h"
Ed Tanous2205bbf2021-06-17 13:33:47 -0700[diff] [blame]4
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]5#include "http_request.hpp"
6#include "http_response.hpp"
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]7
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]8inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
9 crow::Response& res)
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]10{
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]11 using bf = boost::beast::http::field;
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]12
Joseph Reynolds1d9502b2023-05-12 10:47:30 -0500[diff] [blame]13 // Recommendations from https://owasp.org/www-project-secure-headers/
14 // https://owasp.org/www-project-secure-headers/ci/headers_add.json
Ed Tanousd8139c62023-06-14 17:11:47 -0700[diff] [blame]15 res.addHeader(bf::strict_transport_security, "max-age=31536000; "
16 "includeSubdomains");
Ed Tanousd8139c62023-06-14 17:11:47 -0700[diff] [blame]17
18 res.addHeader(bf::pragma, "no-cache");
19 res.addHeader(bf::cache_control, "no-store, max-age=0");
20
21 res.addHeader("X-Content-Type-Options", "nosniff");
22
Ed Tanousc056aa72024-04-14 09:57:09 -0700[diff] [blame]23 std::string_view contentType = res.getHeaderValue("Content-Type");
24 if (contentType.starts_with("text/html"))
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]25 {
Ed Tanousc056aa72024-04-14 09:57:09 -0700[diff] [blame]26 res.addHeader(bf::x_frame_options, "DENY");
27 res.addHeader("Referrer-Policy", "no-referrer");
28 res.addHeader("Permissions-Policy", "accelerometer=(),"
29 "ambient-light-sensor=(),"
30 "autoplay=(),"
31 "battery=(),"
32 "camera=(),"
33 "display-capture=(),"
34 "document-domain=(),"
35 "encrypted-media=(),"
36 "fullscreen=(),"
37 "gamepad=(),"
38 "geolocation=(),"
39 "gyroscope=(),"
40 "layout-animations=(self),"
41 "legacy-image-formats=(self),"
42 "magnetometer=(),"
43 "microphone=(),"
44 "midi=(),"
45 "oversized-images=(self),"
46 "payment=(),"
47 "picture-in-picture=(),"
48 "publickey-credentials-get=(),"
49 "speaker-selection=(),"
50 "sync-xhr=(self),"
51 "unoptimized-images=(self),"
52 "unsized-media=(self),"
53 "usb=(),"
54 "screen-wak-lock=(),"
55 "web-share=(),"
56 "xr-spatial-tracking=()");
57 res.addHeader("X-Permitted-Cross-Domain-Policies", "none");
58 res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");
59 res.addHeader("Cross-Origin-Opener-Policy", "same-origin");
60 res.addHeader("Cross-Origin-Resource-Policy", "same-origin");
Ed Tanous788fe742024-04-22 12:41:06 -0700[diff] [blame]61 res.addHeader("Content-Security-Policy", "default-src 'none'; "
62 "img-src 'self' data:; "
63 "font-src 'self'; "
64 "style-src 'self'; "
65 "script-src 'self'; "
66 "connect-src 'self' wss:; "
67 "form-action 'none'; "
68 "frame-ancestors 'none'; "
69 "object-src 'none'; "
70 "base-uri 'none' ");
71 // The KVM currently needs to load images from base64 encoded
72 // strings. img-src 'self' data: is used to allow that.
73 // https://stackoverflow.com/questions/18447970/content-security-polic
74 // y-data-not-working-for-base64-images-in-chrome-28
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]75 }
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]76}