1 #pragma once 2 3 #include "bmcweb_config.h" 4 5 #include "http_request.hpp" 6 #include "http_response.hpp" 7 8 inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], 9 crow::Response& res) 10 { 11 /* 12 TODO(ed) these should really check content types. for example, 13 X-UA-Compatible header doesn't make sense when retrieving a JSON or 14 javascript file. It doesn't hurt anything, it's just ugly. 15 */ 16 using bf = boost::beast::http::field; 17 res.addHeader(bf::strict_transport_security, "max-age=31536000; " 18 "includeSubdomains; " 19 "preload"); 20 res.addHeader(bf::x_frame_options, "DENY"); 21 22 res.addHeader(bf::pragma, "no-cache"); 23 res.addHeader(bf::cache_control, "no-Store,no-Cache"); 24 25 res.addHeader("X-XSS-Protection", "1; " 26 "mode=block"); 27 res.addHeader("X-Content-Type-Options", "nosniff"); 28 29 if (bmcwebInsecureDisableXssPrevention == 0) 30 { 31 res.addHeader("Content-Security-Policy", "default-src 'none'; " 32 "img-src 'self' data:; " 33 "font-src 'self'; " 34 "style-src 'self'; " 35 "script-src 'self'; " 36 "connect-src 'self' wss:; " 37 "form-action 'none'; " 38 "frame-ancestors 'none'; " 39 "object-src 'none'; " 40 "base-uri 'none' "); 41 // The KVM currently needs to load images from base64 encoded 42 // strings. img-src 'self' data: is used to allow that. 43 // https://stackoverflow.com/questions/18447970/content-security-polic 44 // y-data-not-working-for-base64-images-in-chrome-28 45 } 46 else 47 { 48 // If XSS is disabled, we need to allow loading from addresses other 49 // than self, as the BMC will be hosted elsewhere. 50 res.addHeader("Content-Security-Policy", "default-src 'none'; " 51 "img-src *; " 52 "font-src *; " 53 "style-src *; " 54 "script-src *; " 55 "connect-src *; " 56 "form-action *; " 57 "frame-ancestors *; " 58 "object-src *; " 59 "base-uri *"); 60 61 std::string_view origin = req.getHeaderValue("Origin"); 62 res.addHeader(bf::access_control_allow_origin, origin); 63 res.addHeader(bf::access_control_allow_methods, "GET, " 64 "POST, " 65 "PUT, " 66 "PATCH, " 67 "DELETE"); 68 res.addHeader(bf::access_control_allow_credentials, "true"); 69 res.addHeader(bf::access_control_allow_headers, "Origin, " 70 "Content-Type, " 71 "Accept, " 72 "Cookie, " 73 "X-XSRF-TOKEN"); 74 } 75 } 76