Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / ffed87b5ad1797ca966d030e7f97977028d258fa / . / include / security_headers.hpp
blob: 6cf26898f641fe2ae2ea6a4b0b4398d0d8a9b372 [file] [log] [blame]
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]1#pragma once
2
Ed Tanous04e438c2020-10-03 08:06:26 -0700[diff] [blame]3#include <http_response.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]4
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]5inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
6 crow::Response& res)
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]7{
8 /*
9 TODO(ed) these should really check content types. for example,
10 X-UA-Compatible header doesn't make sense when retrieving a JSON or
11 javascript file. It doesn't hurt anything, it's just ugly.
12 */
13 using bf = boost::beast::http::field;
14 res.addHeader(bf::strict_transport_security, "max-age=31536000; "
15 "includeSubdomains; "
16 "preload");
17 res.addHeader(bf::x_frame_options, "DENY");
18
19 res.addHeader(bf::pragma, "no-cache");
20 res.addHeader(bf::cache_control, "no-Store,no-Cache");
21
22 res.addHeader("X-XSS-Protection", "1; "
23 "mode=block");
24 res.addHeader("X-Content-Type-Options", "nosniff");
25
Arun P. Mohanancd1f3922021-03-09 19:27:47 +0530[diff] [blame]26 if (!bmcwebInsecureDisableXssPrevention)
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]27 {
28 res.addHeader("Content-Security-Policy", "default-src 'none'; "
29 "img-src 'self' data:; "
30 "font-src 'self'; "
31 "style-src 'self'; "
32 "script-src 'self'; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]33 "connect-src 'self' wss:; "
34 "form-action 'none'; "
35 "frame-ancestors 'none'; "
36 "plugin-types 'none'; "
37 "base-uri 'none' ");
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]38 // The KVM currently needs to load images from base64 encoded
39 // strings. img-src 'self' data: is used to allow that.
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]40 // https://stackoverflow.com/questions/18447970/content-security-polic
41 // y-data-not-working-for-base64-images-in-chrome-28
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]42 }
43 else
44 {
45 // If XSS is disabled, we need to allow loading from addresses other
46 // than self, as the BMC will be hosted elsewhere.
47 res.addHeader("Content-Security-Policy", "default-src 'none'; "
48 "img-src *; "
49 "font-src *; "
50 "style-src *; "
51 "script-src *; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -0700[diff] [blame]52 "connect-src *; "
53 "form-action *; "
54 "frame-ancestors *; "
55 "plugin-types *; "
56 "base-uri *");
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]57
Ed Tanous0260d9d2021-02-07 19:31:07 +0000[diff] [blame]58 const std::string_view origin = req.getHeaderValue("Origin");
59 res.addHeader(bf::access_control_allow_origin, origin);
60 res.addHeader(bf::access_control_allow_methods, "GET, "
61 "POST, "
62 "PUT, "
63 "PATCH, "
64 "DELETE");
65 res.addHeader(bf::access_control_allow_credentials, "true");
66 res.addHeader(bf::access_control_allow_headers, "Origin, "
67 "Content-Type, "
68 "Accept, "
69 "Cookie, "
70 "X-XSRF-TOKEN");
71 }
Ed Tanous52cc1122020-07-18 13:51:21 -0700[diff] [blame]72}