Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / a232343d8c1ff05ac9fdb55f3ec299b42d6b6929 / . / include / security_headers.hpp
blob: 9877bb0b1ae998e88e64c7e5aa4f03cdbdbe7471 [file] [log] [blame]
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1#pragma once
2
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]3#include "bmcweb_config.h"
Ed Tanous2205bbf2021-06-17 13:33:47 -0700[diff] [blame]4
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]5#include "http_request.hpp"
6#include "http_response.hpp"
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]7
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]8inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
9 crow::Response& res)
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]10{
11 /*
12 TODO(ed) these should really check content types. for example,
13 X-UA-Compatible header doesn't make sense when retrieving a JSON or
14 javascript file. It doesn't hurt anything, it's just ugly.
15 */
16 using bf = boost::beast::http::field;
17 res.addHeader(bf::strict_transport_security, "max-age=31536000; "
18 "includeSubdomains; "
19 "preload");
20 res.addHeader(bf::x_frame_options, "DENY");
21
22 res.addHeader(bf::pragma, "no-cache");
23 res.addHeader(bf::cache_control, "no-Store,no-Cache");
24
25 res.addHeader("X-XSS-Protection", "1; "
26 "mode=block");
27 res.addHeader("X-Content-Type-Options", "nosniff");
28
Ed Tanouse662eae2022-01-25 10:39:19 -0800[diff] [blame]29 if (bmcwebInsecureDisableXssPrevention == 0)
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]30 {
31 res.addHeader("Content-Security-Policy", "default-src 'none'; "
32 "img-src 'self' data:; "
33 "font-src 'self'; "
34 "style-src 'self'; "
35 "script-src 'self'; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]36 "connect-src 'self' wss:; "
37 "form-action 'none'; "
38 "frame-ancestors 'none'; "
Jiaqing Zhao91ac2e52022-03-17 00:18:58 +0800[diff] [blame]39 "object-src 'none'; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]40 "base-uri 'none' ");
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]41 // The KVM currently needs to load images from base64 encoded
42 // strings. img-src 'self' data: is used to allow that.
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]43 // https://stackoverflow.com/questions/18447970/content-security-polic
44 // y-data-not-working-for-base64-images-in-chrome-28
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]45 }
46 else
47 {
48 // If XSS is disabled, we need to allow loading from addresses other
49 // than self, as the BMC will be hosted elsewhere.
50 res.addHeader("Content-Security-Policy", "default-src 'none'; "
51 "img-src *; "
52 "font-src *; "
53 "style-src *; "
54 "script-src *; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]55 "connect-src *; "
56 "form-action *; "
57 "frame-ancestors *; "
Jiaqing Zhao91ac2e52022-03-17 00:18:58 +0800[diff] [blame]58 "object-src *; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]59 "base-uri *");
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]60
Ed Tanous26ccae32023-02-16 10:28:44 -0800[diff] [blame]61 std::string_view origin = req.getHeaderValue("Origin");
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]62 res.addHeader(bf::access_control_allow_origin, origin);
63 res.addHeader(bf::access_control_allow_methods, "GET, "
64 "POST, "
65 "PUT, "
66 "PATCH, "
67 "DELETE");
68 res.addHeader(bf::access_control_allow_credentials, "true");
69 res.addHeader(bf::access_control_allow_headers, "Origin, "
70 "Content-Type, "
71 "Accept, "
72 "Cookie, "
73 "X-XSRF-TOKEN");
74 }
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]75}