Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / d8139c683a2f42c47ed913b731becc6cd681e2dd / . / include / security_headers.hpp
blob: 9615f6548c5000bc5c56fed36f4b33a216a2a888 [file] [log] [blame]
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1#pragma once
2
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]3#include "bmcweb_config.h"
Ed Tanous2205bbf2021-06-17 13:33:47 -0700[diff] [blame]4
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]5#include "http_request.hpp"
6#include "http_response.hpp"
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]7
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]8inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
9 crow::Response& res)
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]10{
11 /*
12 TODO(ed) these should really check content types. for example,
Ed Tanousd8139c62023-06-14 17:11:47 -0700[diff] [blame^]13 X-Content-Type-Options header doesn't make sense when retrieving a JSON or
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]14 javascript file. It doesn't hurt anything, it's just ugly.
15 */
16 using bf = boost::beast::http::field;
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]17
Joseph Reynolds1d9502b2023-05-12 10:47:30 -0500[diff] [blame]18 // Recommendations from https://owasp.org/www-project-secure-headers/
19 // https://owasp.org/www-project-secure-headers/ci/headers_add.json
Ed Tanousd8139c62023-06-14 17:11:47 -0700[diff] [blame^]20 res.addHeader(bf::strict_transport_security, "max-age=31536000; "
21 "includeSubdomains");
22 res.addHeader(bf::x_frame_options, "DENY");
23
24 res.addHeader(bf::pragma, "no-cache");
25 res.addHeader(bf::cache_control, "no-store, max-age=0");
26
27 res.addHeader("X-Content-Type-Options", "nosniff");
28
Joseph Reynolds1d9502b2023-05-12 10:47:30 -0500[diff] [blame]29 res.addHeader("Referrer-Policy", "no-referrer");
Ed Tanousd8139c62023-06-14 17:11:47 -0700[diff] [blame^]30 res.addHeader("Permissions-Policy", "accelerometer=(),"
31 "ambient-light-sensor=(),"
32 "autoplay=(),"
33 "battery=(),"
34 "camera=(),"
35 "display-capture=(),"
36 "document-domain=(),"
37 "encrypted-media=(),"
38 "fullscreen=(),"
39 "gamepad=(),"
40 "geolocation=(),"
41 "gyroscope=(),"
42 "layout-animations=(self),"
43 "legacy-image-formats=(self),"
44 "magnetometer=(),"
45 "microphone=(),"
46 "midi=(),"
47 "oversized-images=(self),"
48 "payment=(),"
49 "picture-in-picture=(),"
50 "publickey-credentials-get=(),"
51 "speaker-selection=()"
52 "sync-xhr=(self),"
53 "unoptimized-images=(self),"
54 "unsized-media=(self),"
55 "usb=(),"
56 "screen-wak-lock=(),"
57 "web-share=(),"
58 "xr-spatial-tracking=()");
59
60 res.addHeader("X-Permitted-Cross-Domain-Policies", "none");
61
62 res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");
63 res.addHeader("Cross-Origin-Opener-Policy", "same-origin");
64 res.addHeader("Cross-Origin-Resource-Policy", "same-origin");
Joseph Reynolds1d9502b2023-05-12 10:47:30 -0500[diff] [blame]65
Ed Tanouse662eae2022-01-25 10:39:19 -0800[diff] [blame]66 if (bmcwebInsecureDisableXssPrevention == 0)
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]67 {
68 res.addHeader("Content-Security-Policy", "default-src 'none'; "
69 "img-src 'self' data:; "
70 "font-src 'self'; "
71 "style-src 'self'; "
72 "script-src 'self'; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]73 "connect-src 'self' wss:; "
74 "form-action 'none'; "
75 "frame-ancestors 'none'; "
Jiaqing Zhao91ac2e52022-03-17 00:18:58 +0800[diff] [blame]76 "object-src 'none'; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]77 "base-uri 'none' ");
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]78 // The KVM currently needs to load images from base64 encoded
79 // strings. img-src 'self' data: is used to allow that.
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]80 // https://stackoverflow.com/questions/18447970/content-security-polic
81 // y-data-not-working-for-base64-images-in-chrome-28
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]82 }
83 else
84 {
85 // If XSS is disabled, we need to allow loading from addresses other
86 // than self, as the BMC will be hosted elsewhere.
87 res.addHeader("Content-Security-Policy", "default-src 'none'; "
88 "img-src *; "
89 "font-src *; "
90 "style-src *; "
91 "script-src *; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]92 "connect-src *; "
93 "form-action *; "
94 "frame-ancestors *; "
Jiaqing Zhao91ac2e52022-03-17 00:18:58 +0800[diff] [blame]95 "object-src *; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]96 "base-uri *");
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]97
Ed Tanous26ccae32023-02-16 10:28:44 -0800[diff] [blame]98 std::string_view origin = req.getHeaderValue("Origin");
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]99 res.addHeader(bf::access_control_allow_origin, origin);
100 res.addHeader(bf::access_control_allow_methods, "GET, "
101 "POST, "
102 "PUT, "
103 "PATCH, "
104 "DELETE");
105 res.addHeader(bf::access_control_allow_credentials, "true");
106 res.addHeader(bf::access_control_allow_headers, "Origin, "
107 "Content-Type, "
108 "Accept, "
109 "Cookie, "
110 "X-XSRF-TOKEN");
111 }
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]112}