1 #pragma once 2 3 #include <http_response.h> 4 5 inline void addSecurityHeaders(crow::Response& res) 6 { 7 /* 8 TODO(ed) these should really check content types. for example, 9 X-UA-Compatible header doesn't make sense when retrieving a JSON or 10 javascript file. It doesn't hurt anything, it's just ugly. 11 */ 12 using bf = boost::beast::http::field; 13 res.addHeader(bf::strict_transport_security, "max-age=31536000; " 14 "includeSubdomains; " 15 "preload"); 16 res.addHeader(bf::x_frame_options, "DENY"); 17 18 res.addHeader(bf::pragma, "no-cache"); 19 res.addHeader(bf::cache_control, "no-Store,no-Cache"); 20 21 res.addHeader("X-XSS-Protection", "1; " 22 "mode=block"); 23 res.addHeader("X-Content-Type-Options", "nosniff"); 24 25 #ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION 26 res.addHeader("Content-Security-Policy", "default-src 'none'; " 27 "img-src 'self' data:; " 28 "font-src 'self'; " 29 "style-src 'self'; " 30 "script-src 'self'; " 31 "connect-src 'self' wss:"); 32 // The KVM currently needs to load images from base64 encoded 33 // strings. img-src 'self' data: is used to allow that. 34 // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 35 36 #else 37 // If XSS is disabled, we need to allow loading from addresses other 38 // than self, as the BMC will be hosted elsewhere. 39 res.addHeader("Content-Security-Policy", "default-src 'none'; " 40 "img-src *; " 41 "font-src *; " 42 "style-src *; " 43 "script-src *; " 44 "connect-src *"); 45 46 const std::string_view origin = req.getHeaderValue("Origin"); 47 res.addHeader(bf::access_control_allow_origin, origin); 48 res.addHeader(bf::access_control_allow_methods, "GET, " 49 "POST, " 50 "PUT, " 51 "PATCH, " 52 "DELETE"); 53 res.addHeader(bf::access_control_allow_credentials, "true"); 54 res.addHeader(bf::access_control_allow_headers, "Origin, " 55 "Content-Type, " 56 "Accept, " 57 "Cookie, " 58 "X-XSRF-TOKEN"); 59 60 #endif 61 } 62