1 #pragma once 2 3 #include "bmcweb_config.h" 4 5 #include "http_request.hpp" 6 #include "http_response.hpp" 7 8 inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], 9 crow::Response& res) 10 { 11 using bf = boost::beast::http::field; 12 13 // Recommendations from https://owasp.org/www-project-secure-headers/ 14 // https://owasp.org/www-project-secure-headers/ci/headers_add.json 15 res.addHeader(bf::strict_transport_security, "max-age=31536000; " 16 "includeSubdomains"); 17 18 res.addHeader(bf::pragma, "no-cache"); 19 20 if (res.getHeaderValue(bf::cache_control).empty()) 21 { 22 res.addHeader(bf::cache_control, "no-store, max-age=0"); 23 } 24 res.addHeader("X-Content-Type-Options", "nosniff"); 25 26 std::string_view contentType = res.getHeaderValue("Content-Type"); 27 if (contentType.starts_with("text/html")) 28 { 29 res.addHeader(bf::x_frame_options, "DENY"); 30 res.addHeader("Referrer-Policy", "no-referrer"); 31 res.addHeader("Permissions-Policy", "accelerometer=()," 32 "ambient-light-sensor=()," 33 "autoplay=()," 34 "battery=()," 35 "camera=()," 36 "display-capture=()," 37 "document-domain=()," 38 "encrypted-media=()," 39 "fullscreen=()," 40 "gamepad=()," 41 "geolocation=()," 42 "gyroscope=()," 43 "layout-animations=(self)," 44 "legacy-image-formats=(self)," 45 "magnetometer=()," 46 "microphone=()," 47 "midi=()," 48 "oversized-images=(self)," 49 "payment=()," 50 "picture-in-picture=()," 51 "publickey-credentials-get=()," 52 "speaker-selection=()," 53 "sync-xhr=(self)," 54 "unoptimized-images=(self)," 55 "unsized-media=(self)," 56 "usb=()," 57 "screen-wak-lock=()," 58 "web-share=()," 59 "xr-spatial-tracking=()"); 60 res.addHeader("X-Permitted-Cross-Domain-Policies", "none"); 61 res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); 62 res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); 63 res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); 64 res.addHeader("Content-Security-Policy", "default-src 'none'; " 65 "img-src 'self' data:; " 66 "font-src 'self'; " 67 "style-src 'self'; " 68 "script-src 'self'; " 69 "connect-src 'self' wss:; " 70 "form-action 'none'; " 71 "frame-ancestors 'none'; " 72 "object-src 'none'; " 73 "base-uri 'none' "); 74 // The KVM currently needs to load images from base64 encoded 75 // strings. img-src 'self' data: is used to allow that. 76 // https://stackoverflow.com/questions/18447970/content-security-polic 77 // y-data-not-working-for-base64-images-in-chrome-28 78 } 79 } 80