1 #pragma once 2 3 #include "bmcweb_config.h" 4 5 #include "http_request.hpp" 6 #include "http_response.hpp" 7 8 inline void addSecurityHeaders(crow::Response& res) 9 { 10 using bf = boost::beast::http::field; 11 12 // Recommendations from https://owasp.org/www-project-secure-headers/ 13 // https://owasp.org/www-project-secure-headers/ci/headers_add.json 14 res.addHeader(bf::strict_transport_security, "max-age=31536000; " 15 "includeSubdomains"); 16 17 res.addHeader(bf::pragma, "no-cache"); 18 19 if (res.getHeaderValue(bf::cache_control).empty()) 20 { 21 res.addHeader(bf::cache_control, "no-store, max-age=0"); 22 } 23 res.addHeader("X-Content-Type-Options", "nosniff"); 24 25 std::string_view contentType = res.getHeaderValue("Content-Type"); 26 if (contentType.starts_with("text/html")) 27 { 28 res.addHeader(bf::x_frame_options, "DENY"); 29 res.addHeader("Referrer-Policy", "no-referrer"); 30 res.addHeader("Permissions-Policy", "accelerometer=()," 31 "ambient-light-sensor=()," 32 "autoplay=()," 33 "battery=()," 34 "camera=()," 35 "display-capture=()," 36 "document-domain=()," 37 "encrypted-media=()," 38 "fullscreen=()," 39 "gamepad=()," 40 "geolocation=()," 41 "gyroscope=()," 42 "layout-animations=(self)," 43 "legacy-image-formats=(self)," 44 "magnetometer=()," 45 "microphone=()," 46 "midi=()," 47 "oversized-images=(self)," 48 "payment=()," 49 "picture-in-picture=()," 50 "publickey-credentials-get=()," 51 "speaker-selection=()," 52 "sync-xhr=(self)," 53 "unoptimized-images=(self)," 54 "unsized-media=(self)," 55 "usb=()," 56 "screen-wak-lock=()," 57 "web-share=()," 58 "xr-spatial-tracking=()"); 59 res.addHeader("X-Permitted-Cross-Domain-Policies", "none"); 60 res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); 61 res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); 62 res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); 63 res.addHeader("Content-Security-Policy", "default-src 'none'; " 64 "img-src 'self' data:; " 65 "font-src 'self'; " 66 "style-src 'self'; " 67 "script-src 'self'; " 68 "connect-src 'self' wss:; " 69 "form-action 'none'; " 70 "frame-ancestors 'none'; " 71 "object-src 'none'; " 72 "base-uri 'none' "); 73 // The KVM currently needs to load images from base64 encoded 74 // strings. img-src 'self' data: is used to allow that. 75 // https://stackoverflow.com/questions/18447970/content-security-polic 76 // y-data-not-working-for-base64-images-in-chrome-28 77 } 78 } 79