Ed Tanous | 8041f31 | 2017-04-03 09:47:01 -0700 | [diff] [blame] | 1 | #pragma once |
| 2 | |
| 3 | #include <crow/http_request.h> |
| 4 | #include <crow/http_response.h> |
| 5 | |
| 6 | namespace crow { |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 7 | static const std::string strict_transport_security_key = |
| 8 | "Strict-Transport-Security"; |
| 9 | static const std::string strict_transport_security_value = |
| 10 | "max-age=31536000; includeSubdomains; preload"; |
| 11 | |
| 12 | static const std::string ua_compatability_key = "X-UA-Compatible"; |
| 13 | static const std::string ua_compatability_value = "IE=11"; |
| 14 | |
| 15 | static const std::string xframe_key = "X-Frame-Options"; |
| 16 | static const std::string xframe_value = "DENY"; |
| 17 | |
| 18 | static const std::string xss_key = "X-XSS-Protection"; |
| 19 | static const std::string xss_value = "1; mode=block"; |
| 20 | |
| 21 | static const std::string content_security_key = "X-Content-Security-Policy"; |
| 22 | static const std::string content_security_value = "default-src 'self'"; |
| 23 | |
Ed Tanous | 8041f31 | 2017-04-03 09:47:01 -0700 | [diff] [blame] | 24 | |
| 25 | struct SecurityHeadersMiddleware { |
| 26 | struct context {}; |
| 27 | |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 28 | void before_handle(crow::request& req, |
| 29 | response& res, |
| 30 | context& ctx) {} |
Ed Tanous | 8041f31 | 2017-04-03 09:47:01 -0700 | [diff] [blame] | 31 | |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 32 | void after_handle(request& /*req*/, |
| 33 | response& res, |
| 34 | context& ctx) { |
| 35 | /* |
| 36 | TODO(ed) these should really check content types. for example, |
| 37 | X-UA-Compatible header doesn't make sense when retrieving a JSON or |
| 38 | javascript file. It doesn't hurt anything, it's just ugly. |
| 39 | */ |
| 40 | res.add_header(strict_transport_security_key, |
| 41 | strict_transport_security_value); |
| 42 | res.add_header(ua_compatability_key, ua_compatability_value); |
| 43 | res.add_header(xframe_key, xframe_value); |
| 44 | res.add_header(xss_key, xss_value); |
| 45 | res.add_header(content_security_key, content_security_value); |
| 46 | } |
Ed Tanous | 8041f31 | 2017-04-03 09:47:01 -0700 | [diff] [blame] | 47 | }; |
| 48 | } |