1 #pragma once
2 
3 #include "bmcweb_config.h"
4 
5 #include "http_request.hpp"
6 #include "http_response.hpp"
7 
8 inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
9                                crow::Response& res)
10 {
11     /*
12      TODO(ed) these should really check content types.  for example,
13      X-UA-Compatible header doesn't make sense when retrieving a JSON or
14      javascript file.  It doesn't hurt anything, it's just ugly.
15      */
16     using bf = boost::beast::http::field;
17     res.addHeader(bf::strict_transport_security, "max-age=31536000; "
18                                                  "includeSubdomains; "
19                                                  "preload");
20     res.addHeader(bf::x_frame_options, "DENY");
21 
22     res.addHeader(bf::pragma, "no-cache");
23     res.addHeader(bf::cache_control, "no-Store,no-Cache");
24 
25     res.addHeader("X-XSS-Protection", "1; "
26                                       "mode=block");
27     res.addHeader("X-Content-Type-Options", "nosniff");
28 
29     if (bmcwebInsecureDisableXssPrevention == 0)
30     {
31         res.addHeader("Content-Security-Policy", "default-src 'none'; "
32                                                  "img-src 'self' data:; "
33                                                  "font-src 'self'; "
34                                                  "style-src 'self'; "
35                                                  "script-src 'self'; "
36                                                  "connect-src 'self' wss:; "
37                                                  "form-action 'none'; "
38                                                  "frame-ancestors 'none'; "
39                                                  "object-src 'none'; "
40                                                  "base-uri 'none' ");
41         // The KVM currently needs to load images from base64 encoded
42         // strings. img-src 'self' data: is used to allow that.
43         // https://stackoverflow.com/questions/18447970/content-security-polic
44         // y-data-not-working-for-base64-images-in-chrome-28
45     }
46     else
47     {
48         // If XSS is disabled, we need to allow loading from addresses other
49         // than self, as the BMC will be hosted elsewhere.
50         res.addHeader("Content-Security-Policy", "default-src 'none'; "
51                                                  "img-src *; "
52                                                  "font-src *; "
53                                                  "style-src *; "
54                                                  "script-src *; "
55                                                  "connect-src *; "
56                                                  "form-action *; "
57                                                  "frame-ancestors *; "
58                                                  "object-src *; "
59                                                  "base-uri *");
60 
61         std::string_view origin = req.getHeaderValue("Origin");
62         res.addHeader(bf::access_control_allow_origin, origin);
63         res.addHeader(bf::access_control_allow_methods, "GET, "
64                                                         "POST, "
65                                                         "PUT, "
66                                                         "PATCH, "
67                                                         "DELETE");
68         res.addHeader(bf::access_control_allow_credentials, "true");
69         res.addHeader(bf::access_control_allow_headers, "Origin, "
70                                                         "Content-Type, "
71                                                         "Accept, "
72                                                         "Cookie, "
73                                                         "X-XSRF-TOKEN");
74     }
75 }
76