Nginx adds http security headers
Nginx now adds security-related headers to HTTP responses per
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
and consistent with openbmc/bmcweb (see header file
include/security_headers_middleware.hpp).
Tested:
curl -D headers http://${bmc}
redirects to https
No security headers apply, and none are sent
curl https://${bmc}
contains security headers and works properly
curl https://${bmc}/xyz/openbmc_project/software
contains Strict-Transport-Security header, and works
curl ... -X POST -T ${image} https://${bmc}/upload/image"
works
firefox http redirects to https
firefox https://${bmc}/ logs in and works
Resolves openbmc/openbmc#3195
Change-Id: Iae5c0245de2ebdbc6f55dc065f34dc53ab1af438
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
1 file changed