1 // SPDX-License-Identifier: Apache-2.0 2 // SPDX-FileCopyrightText: Copyright OpenBMC Authors 3 #pragma once 4 5 #include "bmcweb_config.h" 6 7 #include "http_request.hpp" 8 #include "http_response.hpp" 9 10 inline void addSecurityHeaders(crow::Response& res) 11 { 12 using bf = boost::beast::http::field; 13 14 // Recommendations from https://owasp.org/www-project-secure-headers/ 15 // https://owasp.org/www-project-secure-headers/ci/headers_add.json 16 res.addHeader(bf::strict_transport_security, "max-age=31536000; " 17 "includeSubdomains"); 18 19 res.addHeader(bf::pragma, "no-cache"); 20 21 if (res.getHeaderValue(bf::cache_control).empty()) 22 { 23 res.addHeader(bf::cache_control, "no-store, max-age=0"); 24 } 25 res.addHeader("X-Content-Type-Options", "nosniff"); 26 27 std::string_view contentType = res.getHeaderValue("Content-Type"); 28 if (contentType.starts_with("text/html")) 29 { 30 res.addHeader(bf::x_frame_options, "DENY"); 31 res.addHeader("Referrer-Policy", "no-referrer"); 32 res.addHeader( 33 "Permissions-Policy", 34 "accelerometer=()," 35 "ambient-light-sensor=()," 36 "autoplay=()," 37 "battery=()," 38 "camera=()," 39 "display-capture=()," 40 "document-domain=()," 41 "encrypted-media=()," 42 "fullscreen=()," 43 "gamepad=()," 44 "geolocation=()," 45 "gyroscope=()," 46 "layout-animations=(self)," 47 "legacy-image-formats=(self)," 48 "magnetometer=()," 49 "microphone=()," 50 "midi=()," 51 "oversized-images=(self)," 52 "payment=()," 53 "picture-in-picture=()," 54 "publickey-credentials-get=()," 55 "speaker-selection=()," 56 "sync-xhr=(self)," 57 "unoptimized-images=(self)," 58 "unsized-media=(self)," 59 "usb=()," 60 "screen-wak-lock=()," 61 "web-share=()," 62 "xr-spatial-tracking=()"); 63 res.addHeader("X-Permitted-Cross-Domain-Policies", "none"); 64 res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); 65 res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); 66 res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); 67 res.addHeader("Content-Security-Policy", 68 "default-src 'none'; " 69 "img-src 'self' data:; " 70 "font-src 'self'; " 71 "style-src 'self'; " 72 "script-src 'self'; " 73 "connect-src 'self' wss:; " 74 "form-action 'none'; " 75 "frame-ancestors 'none'; " 76 "object-src 'none'; " 77 "base-uri 'none' "); 78 // The KVM currently needs to load images from base64 encoded 79 // strings. img-src 'self' data: is used to allow that. 80 // https://stackoverflow.com/questions/18447970/content-security-polic 81 // y-data-not-working-for-base64-images-in-chrome-28 82 } 83 } 84