1 #pragma once
2 
3 #include "bmcweb_config.h"
4 
5 #include "http_request.hpp"
6 #include "http_response.hpp"
7 
8 inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
9                                crow::Response& res)
10 {
11     /*
12      TODO(ed) these should really check content types.  for example,
13      X-Content-Type-Options header doesn't make sense when retrieving a JSON or
14      javascript file.  It doesn't hurt anything, it's just ugly.
15      */
16     using bf = boost::beast::http::field;
17 
18     // Recommendations from https://owasp.org/www-project-secure-headers/
19     // https://owasp.org/www-project-secure-headers/ci/headers_add.json
20     res.addHeader(bf::strict_transport_security, "max-age=31536000; "
21                                                  "includeSubdomains");
22     res.addHeader(bf::x_frame_options, "DENY");
23 
24     res.addHeader(bf::pragma, "no-cache");
25     res.addHeader(bf::cache_control, "no-store, max-age=0");
26 
27     res.addHeader("X-Content-Type-Options", "nosniff");
28 
29     res.addHeader("Referrer-Policy", "no-referrer");
30     res.addHeader("Permissions-Policy", "accelerometer=(),"
31                                         "ambient-light-sensor=(),"
32                                         "autoplay=(),"
33                                         "battery=(),"
34                                         "camera=(),"
35                                         "display-capture=(),"
36                                         "document-domain=(),"
37                                         "encrypted-media=(),"
38                                         "fullscreen=(),"
39                                         "gamepad=(),"
40                                         "geolocation=(),"
41                                         "gyroscope=(),"
42                                         "layout-animations=(self),"
43                                         "legacy-image-formats=(self),"
44                                         "magnetometer=(),"
45                                         "microphone=(),"
46                                         "midi=(),"
47                                         "oversized-images=(self),"
48                                         "payment=(),"
49                                         "picture-in-picture=(),"
50                                         "publickey-credentials-get=(),"
51                                         "speaker-selection=(),"
52                                         "sync-xhr=(self),"
53                                         "unoptimized-images=(self),"
54                                         "unsized-media=(self),"
55                                         "usb=(),"
56                                         "screen-wak-lock=(),"
57                                         "web-share=(),"
58                                         "xr-spatial-tracking=()");
59 
60     res.addHeader("X-Permitted-Cross-Domain-Policies", "none");
61 
62     res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");
63     res.addHeader("Cross-Origin-Opener-Policy", "same-origin");
64     res.addHeader("Cross-Origin-Resource-Policy", "same-origin");
65 
66     if (bmcwebInsecureDisableXssPrevention == 0)
67     {
68         res.addHeader("Content-Security-Policy", "default-src 'none'; "
69                                                  "img-src 'self' data:; "
70                                                  "font-src 'self'; "
71                                                  "style-src 'self'; "
72                                                  "script-src 'self'; "
73                                                  "connect-src 'self' wss:; "
74                                                  "form-action 'none'; "
75                                                  "frame-ancestors 'none'; "
76                                                  "object-src 'none'; "
77                                                  "base-uri 'none' ");
78         // The KVM currently needs to load images from base64 encoded
79         // strings. img-src 'self' data: is used to allow that.
80         // https://stackoverflow.com/questions/18447970/content-security-polic
81         // y-data-not-working-for-base64-images-in-chrome-28
82     }
83     else
84     {
85         // If XSS is disabled, we need to allow loading from addresses other
86         // than self, as the BMC will be hosted elsewhere.
87         res.addHeader("Content-Security-Policy", "default-src 'none'; "
88                                                  "img-src *; "
89                                                  "font-src *; "
90                                                  "style-src *; "
91                                                  "script-src *; "
92                                                  "connect-src *; "
93                                                  "form-action *; "
94                                                  "frame-ancestors *; "
95                                                  "object-src *; "
96                                                  "base-uri *");
97 
98         std::string_view origin = req.getHeaderValue("Origin");
99         res.addHeader(bf::access_control_allow_origin, origin);
100         res.addHeader(bf::access_control_allow_methods, "GET, "
101                                                         "POST, "
102                                                         "PUT, "
103                                                         "PATCH, "
104                                                         "DELETE");
105         res.addHeader(bf::access_control_allow_credentials, "true");
106         res.addHeader(bf::access_control_allow_headers, "Origin, "
107                                                         "Content-Type, "
108                                                         "Accept, "
109                                                         "Cookie, "
110                                                         "X-XSRF-TOKEN");
111     }
112 }
113