1 #pragma once 2 3 #include <http_response.hpp> 4 5 inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], 6 crow::Response& res) 7 { 8 /* 9 TODO(ed) these should really check content types. for example, 10 X-UA-Compatible header doesn't make sense when retrieving a JSON or 11 javascript file. It doesn't hurt anything, it's just ugly. 12 */ 13 using bf = boost::beast::http::field; 14 res.addHeader(bf::strict_transport_security, "max-age=31536000; " 15 "includeSubdomains; " 16 "preload"); 17 res.addHeader(bf::x_frame_options, "DENY"); 18 19 res.addHeader(bf::pragma, "no-cache"); 20 res.addHeader(bf::cache_control, "no-Store,no-Cache"); 21 22 res.addHeader("X-XSS-Protection", "1; " 23 "mode=block"); 24 res.addHeader("X-Content-Type-Options", "nosniff"); 25 26 if (!bmcwebInsecureDisableXssPrevention) 27 { 28 res.addHeader("Content-Security-Policy", "default-src 'none'; " 29 "img-src 'self' data:; " 30 "font-src 'self'; " 31 "style-src 'self'; " 32 "script-src 'self'; " 33 "connect-src 'self' wss:"); 34 // The KVM currently needs to load images from base64 encoded 35 // strings. img-src 'self' data: is used to allow that. 36 // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 37 } 38 else 39 { 40 // If XSS is disabled, we need to allow loading from addresses other 41 // than self, as the BMC will be hosted elsewhere. 42 res.addHeader("Content-Security-Policy", "default-src 'none'; " 43 "img-src *; " 44 "font-src *; " 45 "style-src *; " 46 "script-src *; " 47 "connect-src *"); 48 49 const std::string_view origin = req.getHeaderValue("Origin"); 50 res.addHeader(bf::access_control_allow_origin, origin); 51 res.addHeader(bf::access_control_allow_methods, "GET, " 52 "POST, " 53 "PUT, " 54 "PATCH, " 55 "DELETE"); 56 res.addHeader(bf::access_control_allow_credentials, "true"); 57 res.addHeader(bf::access_control_allow_headers, "Origin, " 58 "Content-Type, " 59 "Accept, " 60 "Cookie, " 61 "X-XSRF-TOKEN"); 62 } 63 } 64