| Ed Tanous | 52cc112 | 2020-07-18 13:51:21 -0700 | [diff] [blame] | 1 | #pragma once |
| 2 | |
| Ed Tanous | 3ccb3ad | 2023-01-13 17:40:03 -0800 | [diff] [blame] | 3 | #include "bmcweb_config.h" |
| Ed Tanous | 2205bbf | 2021-06-17 13:33:47 -0700 | [diff] [blame] | 4 | |
| Ed Tanous | 3ccb3ad | 2023-01-13 17:40:03 -0800 | [diff] [blame] | 5 | #include "http_request.hpp" |
| 6 | #include "http_response.hpp" |
| Ed Tanous | 52cc112 | 2020-07-18 13:51:21 -0700 | [diff] [blame] | 7 | |
| Ed Tanous | 0260d9d | 2021-02-07 19:31:07 +0000 | [diff] [blame] | 8 | inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], |
| 9 | crow::Response& res) |
| Ed Tanous | 52cc112 | 2020-07-18 13:51:21 -0700 | [diff] [blame] | 10 | { |
| Ed Tanous | 52cc112 | 2020-07-18 13:51:21 -0700 | [diff] [blame] | 11 | using bf = boost::beast::http::field; |
| Ed Tanous | 52cc112 | 2020-07-18 13:51:21 -0700 | [diff] [blame] | 12 | |
| Joseph Reynolds | 1d9502b | 2023-05-12 10:47:30 -0500 | [diff] [blame] | 13 | // Recommendations from https://owasp.org/www-project-secure-headers/ |
| 14 | // https://owasp.org/www-project-secure-headers/ci/headers_add.json |
| Ed Tanous | d8139c6 | 2023-06-14 17:11:47 -0700 | [diff] [blame] | 15 | res.addHeader(bf::strict_transport_security, "max-age=31536000; " |
| 16 | "includeSubdomains"); |
| Ed Tanous | d8139c6 | 2023-06-14 17:11:47 -0700 | [diff] [blame] | 17 | |
| 18 | res.addHeader(bf::pragma, "no-cache"); |
| 19 | res.addHeader(bf::cache_control, "no-store, max-age=0"); |
| 20 | |
| 21 | res.addHeader("X-Content-Type-Options", "nosniff"); |
| 22 | |
| Ed Tanous | c056aa7 | 2024-04-14 09:57:09 -0700 | [diff] [blame^] | 23 | std::string_view contentType = res.getHeaderValue("Content-Type"); |
| 24 | if (contentType.starts_with("text/html")) |
| Ed Tanous | 0260d9d | 2021-02-07 19:31:07 +0000 | [diff] [blame] | 25 | { |
| Ed Tanous | c056aa7 | 2024-04-14 09:57:09 -0700 | [diff] [blame^] | 26 | res.addHeader(bf::x_frame_options, "DENY"); |
| 27 | res.addHeader("Referrer-Policy", "no-referrer"); |
| 28 | res.addHeader("Permissions-Policy", "accelerometer=()," |
| 29 | "ambient-light-sensor=()," |
| 30 | "autoplay=()," |
| 31 | "battery=()," |
| 32 | "camera=()," |
| 33 | "display-capture=()," |
| 34 | "document-domain=()," |
| 35 | "encrypted-media=()," |
| 36 | "fullscreen=()," |
| 37 | "gamepad=()," |
| 38 | "geolocation=()," |
| 39 | "gyroscope=()," |
| 40 | "layout-animations=(self)," |
| 41 | "legacy-image-formats=(self)," |
| 42 | "magnetometer=()," |
| 43 | "microphone=()," |
| 44 | "midi=()," |
| 45 | "oversized-images=(self)," |
| 46 | "payment=()," |
| 47 | "picture-in-picture=()," |
| 48 | "publickey-credentials-get=()," |
| 49 | "speaker-selection=()," |
| 50 | "sync-xhr=(self)," |
| 51 | "unoptimized-images=(self)," |
| 52 | "unsized-media=(self)," |
| 53 | "usb=()," |
| 54 | "screen-wak-lock=()," |
| 55 | "web-share=()," |
| 56 | "xr-spatial-tracking=()"); |
| 57 | res.addHeader("X-Permitted-Cross-Domain-Policies", "none"); |
| 58 | res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); |
| 59 | res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); |
| 60 | res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); |
| 61 | if (bmcwebInsecureDisableXssPrevention == 0) |
| 62 | { |
| 63 | res.addHeader("Content-Security-Policy", "default-src 'none'; " |
| 64 | "img-src 'self' data:; " |
| 65 | "font-src 'self'; " |
| 66 | "style-src 'self'; " |
| 67 | "script-src 'self'; " |
| 68 | "connect-src 'self' wss:; " |
| 69 | "form-action 'none'; " |
| 70 | "frame-ancestors 'none'; " |
| 71 | "object-src 'none'; " |
| 72 | "base-uri 'none' "); |
| 73 | // The KVM currently needs to load images from base64 encoded |
| 74 | // strings. img-src 'self' data: is used to allow that. |
| 75 | // https://stackoverflow.com/questions/18447970/content-security-polic |
| 76 | // y-data-not-working-for-base64-images-in-chrome-28 |
| 77 | } |
| 78 | else |
| 79 | { |
| 80 | // If XSS is disabled, we need to allow loading from addresses |
| 81 | // other than self, as the BMC will be hosted elsewhere. |
| 82 | res.addHeader("Content-Security-Policy", "default-src 'none'; " |
| 83 | "img-src * data:; " |
| 84 | "font-src *; " |
| 85 | "style-src *; " |
| 86 | "script-src *; " |
| 87 | "connect-src *; " |
| 88 | "form-action *; " |
| 89 | "frame-ancestors *; " |
| 90 | "object-src *; " |
| 91 | "base-uri *"); |
| Ed Tanous | 52cc112 | 2020-07-18 13:51:21 -0700 | [diff] [blame] | 92 | |
| Ed Tanous | c056aa7 | 2024-04-14 09:57:09 -0700 | [diff] [blame^] | 93 | std::string_view origin = req.getHeaderValue("Origin"); |
| 94 | res.addHeader(bf::access_control_allow_origin, origin); |
| 95 | res.addHeader(bf::access_control_allow_methods, "GET, " |
| 96 | "POST, " |
| 97 | "PUT, " |
| 98 | "PATCH, " |
| 99 | "DELETE"); |
| 100 | res.addHeader(bf::access_control_allow_credentials, "true"); |
| 101 | res.addHeader(bf::access_control_allow_headers, "Origin, " |
| 102 | "Content-Type, " |
| 103 | "Accept, " |
| 104 | "Cookie, " |
| 105 | "X-XSRF-TOKEN"); |
| 106 | } |
| Ed Tanous | 0260d9d | 2021-02-07 19:31:07 +0000 | [diff] [blame] | 107 | } |
| Ed Tanous | 52cc112 | 2020-07-18 13:51:21 -0700 | [diff] [blame] | 108 | } |