1 #pragma once 2 3 #include "bmcweb_config.h" 4 5 #include "http_request.hpp" 6 #include "http_response.hpp" 7 8 inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], 9 crow::Response& res) 10 { 11 using bf = boost::beast::http::field; 12 13 // Recommendations from https://owasp.org/www-project-secure-headers/ 14 // https://owasp.org/www-project-secure-headers/ci/headers_add.json 15 res.addHeader(bf::strict_transport_security, "max-age=31536000; " 16 "includeSubdomains"); 17 18 res.addHeader(bf::pragma, "no-cache"); 19 res.addHeader(bf::cache_control, "no-store, max-age=0"); 20 21 res.addHeader("X-Content-Type-Options", "nosniff"); 22 23 std::string_view contentType = res.getHeaderValue("Content-Type"); 24 if (contentType.starts_with("text/html")) 25 { 26 res.addHeader(bf::x_frame_options, "DENY"); 27 res.addHeader("Referrer-Policy", "no-referrer"); 28 res.addHeader("Permissions-Policy", "accelerometer=()," 29 "ambient-light-sensor=()," 30 "autoplay=()," 31 "battery=()," 32 "camera=()," 33 "display-capture=()," 34 "document-domain=()," 35 "encrypted-media=()," 36 "fullscreen=()," 37 "gamepad=()," 38 "geolocation=()," 39 "gyroscope=()," 40 "layout-animations=(self)," 41 "legacy-image-formats=(self)," 42 "magnetometer=()," 43 "microphone=()," 44 "midi=()," 45 "oversized-images=(self)," 46 "payment=()," 47 "picture-in-picture=()," 48 "publickey-credentials-get=()," 49 "speaker-selection=()," 50 "sync-xhr=(self)," 51 "unoptimized-images=(self)," 52 "unsized-media=(self)," 53 "usb=()," 54 "screen-wak-lock=()," 55 "web-share=()," 56 "xr-spatial-tracking=()"); 57 res.addHeader("X-Permitted-Cross-Domain-Policies", "none"); 58 res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); 59 res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); 60 res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); 61 res.addHeader("Content-Security-Policy", "default-src 'none'; " 62 "img-src 'self' data:; " 63 "font-src 'self'; " 64 "style-src 'self'; " 65 "script-src 'self'; " 66 "connect-src 'self' wss:; " 67 "form-action 'none'; " 68 "frame-ancestors 'none'; " 69 "object-src 'none'; " 70 "base-uri 'none' "); 71 // The KVM currently needs to load images from base64 encoded 72 // strings. img-src 'self' data: is used to allow that. 73 // https://stackoverflow.com/questions/18447970/content-security-polic 74 // y-data-not-working-for-base64-images-in-chrome-28 75 } 76 } 77