diff options
author | Ed Tanous <ed.tanous@intel.com> | 2017-11-07 15:32:12 -0800 |
---|---|---|
committer | Ed Tanous <ed.tanous@intel.com> | 2017-11-07 15:32:12 -0800 |
commit | 746b22a2d73aa995dd434492b7f2b649db8c1c4d (patch) | |
tree | fdd1cf986ac0808bcd031a5fe8e25698a4d9c405 | |
parent | 038c52e00db22a49f7b94eb10a94b17a31e2ed3d (diff) | |
download | bmcweb-746b22a2d73aa995dd434492b7f2b649db8c1c4d.tar.gz bmcweb-746b22a2d73aa995dd434492b7f2b649db8c1c4d.zip |
Update crow to improve security
Change-Id: I86146edde21bac89e6cc30afdd79690e2b0adadd
-rw-r--r-- | include/security_headers_middleware.hpp | 10 | ||||
-rw-r--r-- | include/ssl_key_handler.hpp | 3 | ||||
-rw-r--r-- | include/webassets.hpp | 2 |
3 files changed, 10 insertions, 5 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index e12395a..19369f9 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -20,6 +20,12 @@ static const char* xss_value = "1; mode=block"; static const char* content_security_key = "X-Content-Security-Policy"; static const char* content_security_value = "default-src 'self'"; +static const char* pragma_key = "Pragma"; +static const char* pragma_value = "no-cache"; + +static const char* cache_control_key = "Cache-Control"; +static const char* cache_control_value = "no-Store,no-Cache"; + struct SecurityHeadersMiddleware { struct context {}; @@ -37,8 +43,8 @@ struct SecurityHeadersMiddleware { res.add_header(xframe_key, xframe_value); res.add_header(xss_key, xss_value); res.add_header(content_security_key, content_security_value); - res.add_header("Access-Control-Allow-Origin", "http://localhost:8085"); - res.add_header("Access-Control-Allow-Credentials", "true"); + res.add_header(pragma_key, pragma_value); + res.add_header(cache_control_key, cache_control_value); } }; } // namespace crow diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp index 2a1a852..ef512e6 100644 --- a/include/ssl_key_handler.hpp +++ b/include/ssl_key_handler.hpp @@ -4,7 +4,6 @@ #include <openssl/bio.h> #include <openssl/dh.h> #include <openssl/dsa.h> -#include <openssl/dsa.h> #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/pem.h> @@ -304,7 +303,7 @@ inline boost::asio::ssl::context get_ssl_context( std::string aes_only_ciphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL"; if (SSL_CTX_set_cipher_list(m_ssl_context.native_handle(), - mozilla_compatibility_ciphers.c_str()) != 1) { + mozilla_modern_ciphers.c_str()) != 1) { CROW_LOG_ERROR << "Error setting cipher list\n"; } return m_ssl_context; diff --git a/include/webassets.hpp b/include/webassets.hpp index 3afa61f..6fd0d60 100644 --- a/include/webassets.hpp +++ b/include/webassets.hpp @@ -87,7 +87,7 @@ void request_routes(Crow<Middlewares...>& app) { } } } - app.route_dynamic(std::string(webpath.string()))( + app.route_dynamic(webpath.string())( [is_gzip, absolute_path_str, content_type](const crow::request& req, crow::response& res) { static const char* content_type_string = "Content-Type"; |