Blame - include/security_headers.hpp - openbmc/bmcweb

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

1

#pragma once

2

Ed Tanous

3ccb3ad

2023-01-13 17:40:03 -0800

[diff] [blame]

3

#include "bmcweb_config.h"

Ed Tanous

2205bbf

2021-06-17 13:33:47 -0700

[diff] [blame]

4

Ed Tanous

3ccb3ad

2023-01-13 17:40:03 -0800

[diff] [blame]

5

#include "http_request.hpp"

6

#include "http_response.hpp"

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

7

Ed Tanous

89cda63

2024-04-16 08:45:54 -0700

[diff] [blame]

8

inline void addSecurityHeaders(crow::Response& res)

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

9

{

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

10

using bf = boost::beast::http::field;

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

11

Joseph Reynolds

1d9502b

2023-05-12 10:47:30 -0500

[diff] [blame]

12

// Recommendations from https://owasp.org/www-project-secure-headers/

13

// https://owasp.org/www-project-secure-headers/ci/headers_add.json

Ed Tanous

d8139c6

2023-06-14 17:11:47 -0700

[diff] [blame]

14

res.addHeader(bf::strict_transport_security, "max-age=31536000; "

15

"includeSubdomains");

Ed Tanous

d8139c6

2023-06-14 17:11:47 -0700

[diff] [blame]

16

17

res.addHeader(bf::pragma, "no-cache");

Ed Tanous

d8139c6

2023-06-14 17:11:47 -0700

[diff] [blame]

18

Ed Tanous

499b5b4

2024-04-06 08:39:18 -0700

[diff] [blame]

19

if (res.getHeaderValue(bf::cache_control).empty())

20

{

21

res.addHeader(bf::cache_control, "no-store, max-age=0");

22

}

Ed Tanous

d8139c6

2023-06-14 17:11:47 -0700

[diff] [blame]

23

res.addHeader("X-Content-Type-Options", "nosniff");

24

Ed Tanous

c056aa7

2024-04-14 09:57:09 -0700

[diff] [blame]

25

std::string_view contentType = res.getHeaderValue("Content-Type");

26

if (contentType.starts_with("text/html"))

Ed Tanous

0260d9d

2021-02-07 19:31:07 +0000

[diff] [blame]

27

{

Ed Tanous

c056aa7

2024-04-14 09:57:09 -0700

[diff] [blame]

28

res.addHeader(bf::x_frame_options, "DENY");

29

res.addHeader("Referrer-Policy", "no-referrer");

30

res.addHeader("Permissions-Policy", "accelerometer=(),"

31

"ambient-light-sensor=(),"

"autoplay=(),"

"battery=(),"

"camera=(),"

"display-capture=(),"

36

"document-domain=(),"

37

"encrypted-media=(),"

"fullscreen=(),"

"gamepad=(),"

"geolocation=(),"

"gyroscope=(),"

"layout-animations=(self),"

43

"legacy-image-formats=(self),"

"magnetometer=(),"

"microphone=(),"

"midi=(),"

"oversized-images=(self),"

48

"payment=(),"

49

"picture-in-picture=(),"

50

"publickey-credentials-get=(),"

51

"speaker-selection=(),"

52

"sync-xhr=(self),"

53

"unoptimized-images=(self),"

54

"unsized-media=(self),"

55

"usb=(),"

56

"screen-wak-lock=(),"

57

"web-share=(),"

58

"xr-spatial-tracking=()");

59

res.addHeader("X-Permitted-Cross-Domain-Policies", "none");

60

res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");

61

res.addHeader("Cross-Origin-Opener-Policy", "same-origin");

62

res.addHeader("Cross-Origin-Resource-Policy", "same-origin");

Ed Tanous

788fe74

2024-04-22 12:41:06 -0700

[diff] [blame]

63

res.addHeader("Content-Security-Policy", "default-src 'none'; "

64

"img-src 'self' data:; "

65

"font-src 'self'; "

66

"style-src 'self'; "

67

"script-src 'self'; "

68

"connect-src 'self' wss:; "

69

"form-action 'none'; "

70

"frame-ancestors 'none'; "

71

"object-src 'none'; "

72

"base-uri 'none' ");

73

// The KVM currently needs to load images from base64 encoded

74

// strings. img-src 'self' data: is used to allow that.

75

// https://stackoverflow.com/questions/18447970/content-security-polic

76

// y-data-not-working-for-base64-images-in-chrome-28

Ed Tanous

0260d9d

2021-02-07 19:31:07 +0000

[diff] [blame]

77

}

Ed Tanous

52cc112

2020-07-18 13:51:21 -0700

[diff] [blame]

78

}