1 // SPDX-License-Identifier: Apache-2.0
2 // SPDX-FileCopyrightText: Copyright OpenBMC Authors
13     // Recommendations from https://owasp.org/www-project-secure-headers/  in addSecurityHeaders()
14     // https://owasp.org/www-project-secure-headers/ci/headers_add.json  in addSecurityHeaders()
15     res.addHeader(bf::strict_transport_security, "max-age=31536000; "  in addSecurityHeaders()
18     res.addHeader(bf::pragma, "no-cache");  in addSecurityHeaders()
22         res.addHeader(bf::cache_control, "no-store, max-age=0");  in addSecurityHeaders()
24     res.addHeader("X-Content-Type-Options", "nosniff");  in addSecurityHeaders()
26     std::string_view contentType = res.getHeaderValue("Content-Type");  in addSecurityHeaders()
30         res.addHeader("Referrer-Policy", "no-referrer");  in addSecurityHeaders()
32             "Permissions-Policy",  in addSecurityHeaders()
34             "ambient-light-sensor=(),"  in addSecurityHeaders()
38             "display-capture=(),"  in addSecurityHeaders()
39             "document-domain=(),"  in addSecurityHeaders()
40             "encrypted-media=(),"  in addSecurityHeaders()
45             "layout-animations=(self),"  in addSecurityHeaders()
46             "legacy-image-formats=(self),"  in addSecurityHeaders()
50             "oversized-images=(self),"  in addSecurityHeaders()
52             "picture-in-picture=(),"  in addSecurityHeaders()
53             "publickey-credentials-get=(),"  in addSecurityHeaders()
54             "speaker-selection=(),"  in addSecurityHeaders()
55             "sync-xhr=(self),"  in addSecurityHeaders()
56             "unoptimized-images=(self),"  in addSecurityHeaders()
57             "unsized-media=(self),"  in addSecurityHeaders()
59             "screen-wak-lock=(),"  in addSecurityHeaders()
60             "web-share=(),"  in addSecurityHeaders()
61             "xr-spatial-tracking=()");  in addSecurityHeaders()
62         res.addHeader("X-Permitted-Cross-Domain-Policies", "none");  in addSecurityHeaders()
63         res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");  in addSecurityHeaders()
64         res.addHeader("Cross-Origin-Opener-Policy", "same-origin");  in addSecurityHeaders()
65         res.addHeader("Cross-Origin-Resource-Policy", "same-origin");  in addSecurityHeaders()
66         res.addHeader("Content-Security-Policy",  in addSecurityHeaders()
67                       "default-src 'none'; "  in addSecurityHeaders()
68                       "img-src 'self' data:; "  in addSecurityHeaders()
69                       "font-src 'self'; "  in addSecurityHeaders()
70                       "style-src 'self'; "  in addSecurityHeaders()
71                       "script-src 'self'; "  in addSecurityHeaders()
72                       "connect-src 'self' wss:; "  in addSecurityHeaders()
73                       "form-action 'none'; "  in addSecurityHeaders()
74                       "frame-ancestors 'none'; "  in addSecurityHeaders()
75                       "object-src 'none'; "  in addSecurityHeaders()
76                       "base-uri 'none' ");  in addSecurityHeaders()
78         // strings. img-src 'self' data: is used to allow that.  in addSecurityHeaders()
79         // https://stackoverflow.com/questions/18447970/content-security-polic  in addSecurityHeaders()
80         // y-data-not-working-for-base64-images-in-chrome-28  in addSecurityHeaders()