blob: 19644f45bdf10fb9189c2229002c276330839f5f [file] [log] [blame]
Ed Tanous8041f312017-04-03 09:47:01 -07001#pragma once
2
3#include <crow/http_request.h>
4#include <crow/http_response.h>
5
6namespace crow {
Ed Tanousf3d847c2017-06-12 16:01:42 -07007static const std::string strict_transport_security_key =
8 "Strict-Transport-Security";
9static const std::string strict_transport_security_value =
10 "max-age=31536000; includeSubdomains; preload";
11
12static const std::string ua_compatability_key = "X-UA-Compatible";
13static const std::string ua_compatability_value = "IE=11";
14
15static const std::string xframe_key = "X-Frame-Options";
16static const std::string xframe_value = "DENY";
17
18static const std::string xss_key = "X-XSS-Protection";
19static const std::string xss_value = "1; mode=block";
20
21static const std::string content_security_key = "X-Content-Security-Policy";
22static const std::string content_security_value = "default-src 'self'";
23
Ed Tanous8041f312017-04-03 09:47:01 -070024
25struct SecurityHeadersMiddleware {
26 struct context {};
27
Ed Tanousf3d847c2017-06-12 16:01:42 -070028 void before_handle(crow::request& req,
29 response& res,
30 context& ctx) {}
Ed Tanous8041f312017-04-03 09:47:01 -070031
Ed Tanousf3d847c2017-06-12 16:01:42 -070032 void after_handle(request& /*req*/,
33 response& res,
34 context& ctx) {
35 /*
36 TODO(ed) these should really check content types. for example,
37 X-UA-Compatible header doesn't make sense when retrieving a JSON or
38 javascript file. It doesn't hurt anything, it's just ugly.
39 */
40 res.add_header(strict_transport_security_key,
41 strict_transport_security_value);
42 res.add_header(ua_compatability_key, ua_compatability_value);
43 res.add_header(xframe_key, xframe_value);
44 res.add_header(xss_key, xss_value);
45 res.add_header(content_security_key, content_security_value);
46 }
Ed Tanous8041f312017-04-03 09:47:01 -070047};
48}