1 #pragma once 2 3 #include <http_response.hpp> 4 5 inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], 6 crow::Response& res) 7 { 8 /* 9 TODO(ed) these should really check content types. for example, 10 X-UA-Compatible header doesn't make sense when retrieving a JSON or 11 javascript file. It doesn't hurt anything, it's just ugly. 12 */ 13 using bf = boost::beast::http::field; 14 res.addHeader(bf::strict_transport_security, "max-age=31536000; " 15 "includeSubdomains; " 16 "preload"); 17 res.addHeader(bf::x_frame_options, "DENY"); 18 19 res.addHeader(bf::pragma, "no-cache"); 20 res.addHeader(bf::cache_control, "no-Store,no-Cache"); 21 22 res.addHeader("X-XSS-Protection", "1; " 23 "mode=block"); 24 res.addHeader("X-Content-Type-Options", "nosniff"); 25 26 if (!bmcwebInsecureDisableXssPrevention) 27 { 28 res.addHeader("Content-Security-Policy", "default-src 'none'; " 29 "img-src 'self' data:; " 30 "font-src 'self'; " 31 "style-src 'self'; " 32 "script-src 'self'; " 33 "connect-src 'self' wss:; " 34 "form-action 'none'; " 35 "frame-ancestors 'none'; " 36 "plugin-types 'none'; " 37 "base-uri 'none' "); 38 // The KVM currently needs to load images from base64 encoded 39 // strings. img-src 'self' data: is used to allow that. 40 // https://stackoverflow.com/questions/18447970/content-security-polic 41 // y-data-not-working-for-base64-images-in-chrome-28 42 } 43 else 44 { 45 // If XSS is disabled, we need to allow loading from addresses other 46 // than self, as the BMC will be hosted elsewhere. 47 res.addHeader("Content-Security-Policy", "default-src 'none'; " 48 "img-src *; " 49 "font-src *; " 50 "style-src *; " 51 "script-src *; " 52 "connect-src *; " 53 "form-action *; " 54 "frame-ancestors *; " 55 "plugin-types *; " 56 "base-uri *"); 57 58 const std::string_view origin = req.getHeaderValue("Origin"); 59 res.addHeader(bf::access_control_allow_origin, origin); 60 res.addHeader(bf::access_control_allow_methods, "GET, " 61 "POST, " 62 "PUT, " 63 "PATCH, " 64 "DELETE"); 65 res.addHeader(bf::access_control_allow_credentials, "true"); 66 res.addHeader(bf::access_control_allow_headers, "Origin, " 67 "Content-Type, " 68 "Accept, " 69 "Cookie, " 70 "X-XSRF-TOKEN"); 71 } 72 } 73