#pragma once #include "bmcweb_config.h" #include "http_request.hpp" #include "http_response.hpp" inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], crow::Response& res) { /* TODO(ed) these should really check content types. for example, X-Content-Type-Options header doesn't make sense when retrieving a JSON or javascript file. It doesn't hurt anything, it's just ugly. */ using bf = boost::beast::http::field; // Recommendations from https://owasp.org/www-project-secure-headers/ // https://owasp.org/www-project-secure-headers/ci/headers_add.json res.addHeader(bf::strict_transport_security, "max-age=31536000; " "includeSubdomains"); res.addHeader(bf::x_frame_options, "DENY"); res.addHeader(bf::pragma, "no-cache"); res.addHeader(bf::cache_control, "no-store, max-age=0"); res.addHeader("X-Content-Type-Options", "nosniff"); res.addHeader("Referrer-Policy", "no-referrer"); res.addHeader("Permissions-Policy", "accelerometer=()," "ambient-light-sensor=()," "autoplay=()," "battery=()," "camera=()," "display-capture=()," "document-domain=()," "encrypted-media=()," "fullscreen=()," "gamepad=()," "geolocation=()," "gyroscope=()," "layout-animations=(self)," "legacy-image-formats=(self)," "magnetometer=()," "microphone=()," "midi=()," "oversized-images=(self)," "payment=()," "picture-in-picture=()," "publickey-credentials-get=()," "speaker-selection=()" "sync-xhr=(self)," "unoptimized-images=(self)," "unsized-media=(self)," "usb=()," "screen-wak-lock=()," "web-share=()," "xr-spatial-tracking=()"); res.addHeader("X-Permitted-Cross-Domain-Policies", "none"); res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); if (bmcwebInsecureDisableXssPrevention == 0) { res.addHeader("Content-Security-Policy", "default-src 'none'; " "img-src 'self' data:; " "font-src 'self'; " "style-src 'self'; " "script-src 'self'; " "connect-src 'self' wss:; " "form-action 'none'; " "frame-ancestors 'none'; " "object-src 'none'; " "base-uri 'none' "); // The KVM currently needs to load images from base64 encoded // strings. img-src 'self' data: is used to allow that. // https://stackoverflow.com/questions/18447970/content-security-polic // y-data-not-working-for-base64-images-in-chrome-28 } else { // If XSS is disabled, we need to allow loading from addresses other // than self, as the BMC will be hosted elsewhere. res.addHeader("Content-Security-Policy", "default-src 'none'; " "img-src *; " "font-src *; " "style-src *; " "script-src *; " "connect-src *; " "form-action *; " "frame-ancestors *; " "object-src *; " "base-uri *"); std::string_view origin = req.getHeaderValue("Origin"); res.addHeader(bf::access_control_allow_origin, origin); res.addHeader(bf::access_control_allow_methods, "GET, " "POST, " "PUT, " "PATCH, " "DELETE"); res.addHeader(bf::access_control_allow_credentials, "true"); res.addHeader(bf::access_control_allow_headers, "Origin, " "Content-Type, " "Accept, " "Cookie, " "X-XSRF-TOKEN"); } }