Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / f5a5d81de61863a189fb1154f5f4780c88d41d7d / . / include / security_headers_middleware.hpp
blob: 4ef864b082741cdd74f0b3ce58311be73411c46a [file] [log] [blame]
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]1#pragma once
2
3#include <crow/http_request.h>
4#include <crow/http_response.h>
5
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]6namespace crow
7{
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]8struct SecurityHeadersMiddleware
9{
10 struct Context
11 {
12 };
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]13
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]14 void beforeHandle(crow::Request& req, Response& res, Context& ctx)
15 {
Ed Tanousfd828ba2018-08-09 10:58:08 -0700[diff] [blame]16#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]17 if ("OPTIONS"_method == req.method())
18 {
19 res.end();
20 }
21#endif
Ed Tanousfd828ba2018-08-09 10:58:08 -0700[diff] [blame]22 }
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]23
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]24 void afterHandle(Request& req, Response& res, Context& ctx)
25 {
26 /*
27 TODO(ed) these should really check content types. for example,
28 X-UA-Compatible header doesn't make sense when retrieving a JSON or
29 javascript file. It doesn't hurt anything, it's just ugly.
30 */
Ed Tanous750ceae2018-11-30 15:02:22 -0800[diff] [blame]31 using bf = boost::beast::http::field;
32 res.addHeader(bf::strict_transport_security, "max-age=31536000; "
33 "includeSubdomains; "
34 "preload");
35 res.addHeader(bf::x_frame_options, "DENY");
36
37 res.addHeader(bf::pragma, "no-cache");
38 res.addHeader(bf::cache_control, "no-Store,no-Cache");
39 res.addHeader("X-Content-Security-Policy", "default-src 'self'");
40 res.addHeader("X-XSS-Protection", "1; "
41 "mode=block");
42 res.addHeader("X-UA-Compatible", "IE=11");
Ed Tanousfd828ba2018-08-09 10:58:08 -0700[diff] [blame]43
44#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
45
Ed Tanous750ceae2018-11-30 15:02:22 -0800[diff] [blame]46 res.addHeader(bf::access_control_allow_origin, "http://localhost:8080");
47 res.addHeader(bf::access_control_allow_methods, "GET, "
48 "POST, "
49 "PUT, "
50 "PATCH");
51 res.addHeader(bf::access_control_allow_credentials, "true");
52 res.addHeader(bf::access_control_allow_headers, "Origin, "
53 "Content-Type, "
54 "Accept, "
55 "Cookie, "
56 "X-XSRF-TOKEN");
Ed Tanousfd828ba2018-08-09 10:58:08 -0700[diff] [blame]57
58#endif
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]59 }
Ed Tanous8041f312017-04-03 09:47:01 -0700[diff] [blame]60};
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]61} // namespace crow