blob: 13ec893863e191cdfcd05a12e7477e3f78df9780 [file] [log] [blame]
Ed Tanous52cc1122020-07-18 13:51:21 -07001#pragma once
2
Ed Tanous04e438c2020-10-03 08:06:26 -07003#include <http_response.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -07004
5inline void addSecurityHeaders(crow::Response& res)
6{
7 /*
8 TODO(ed) these should really check content types. for example,
9 X-UA-Compatible header doesn't make sense when retrieving a JSON or
10 javascript file. It doesn't hurt anything, it's just ugly.
11 */
12 using bf = boost::beast::http::field;
13 res.addHeader(bf::strict_transport_security, "max-age=31536000; "
14 "includeSubdomains; "
15 "preload");
16 res.addHeader(bf::x_frame_options, "DENY");
17
18 res.addHeader(bf::pragma, "no-cache");
19 res.addHeader(bf::cache_control, "no-Store,no-Cache");
20
21 res.addHeader("X-XSS-Protection", "1; "
22 "mode=block");
23 res.addHeader("X-Content-Type-Options", "nosniff");
24
25#ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
26 res.addHeader("Content-Security-Policy", "default-src 'none'; "
27 "img-src 'self' data:; "
28 "font-src 'self'; "
29 "style-src 'self'; "
30 "script-src 'self'; "
31 "connect-src 'self' wss:");
32 // The KVM currently needs to load images from base64 encoded
33 // strings. img-src 'self' data: is used to allow that.
34 // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
35
36#else
37 // If XSS is disabled, we need to allow loading from addresses other
38 // than self, as the BMC will be hosted elsewhere.
39 res.addHeader("Content-Security-Policy", "default-src 'none'; "
40 "img-src *; "
41 "font-src *; "
42 "style-src *; "
43 "script-src *; "
44 "connect-src *");
45
46 const std::string_view origin = req.getHeaderValue("Origin");
47 res.addHeader(bf::access_control_allow_origin, origin);
48 res.addHeader(bf::access_control_allow_methods, "GET, "
49 "POST, "
50 "PUT, "
51 "PATCH, "
52 "DELETE");
53 res.addHeader(bf::access_control_allow_credentials, "true");
54 res.addHeader(bf::access_control_allow_headers, "Origin, "
55 "Content-Type, "
56 "Accept, "
57 "Cookie, "
58 "X-XSRF-TOKEN");
59
60#endif
61}