summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEd Tanous <ed.tanous@intel.com>2019-05-22 14:28:16 -0700
committerEd Tanous <ed.tanous@intel.com>2019-05-29 21:16:49 +0000
commitfe5b216f3bd0dde507aeedd4f5ad7b001dc6de04 (patch)
tree82eb8426e3d4f3d5e2d71ededf22e84782d6b47f
parent489640c6e8db3d1aa999cd9429e41329cf22cd47 (diff)
downloadbmcweb-fe5b216f3bd0dde507aeedd4f5ad7b001dc6de04.tar.gz
bmcweb-fe5b216f3bd0dde507aeedd4f5ad7b001dc6de04.zip
Add security headers to websockets
websocket connections are by definition temporal, and cannot be cached. Unfortunately, certain security scanners don't see it that way, and flag errors on lack of CSP, XSS, and Content-Type headers when giving a websocket upgrade response. This commit adds the: Strict-Transport-Security Pragma Cache-Control Content-security-policy X-XSS-Protection X-Content-Type-Options Headers to the response when an upgrade occurs, to make the security scanners happy. Tested: Opened the main application, obseved the /subscribe api. Signed-off-by: Ed Tanous <ed.tanous@intel.com> Change-Id: If76dc54f6501b3eb2caf44913d254a8b32d3fd30
-rw-r--r--crow/include/crow/websocket.h19
1 files changed, 15 insertions, 4 deletions
diff --git a/crow/include/crow/websocket.h b/crow/include/crow/websocket.h
index f461477..301f394 100644
--- a/crow/include/crow/websocket.h
+++ b/crow/include/crow/websocket.h
@@ -73,8 +73,10 @@ template <typename Adaptor> class ConnectionImpl : public Connection
{
BMCWEB_LOG_DEBUG << "starting connection " << this;
- std::string_view protocol = req.getHeaderValue(
- boost::beast::http::field::sec_websocket_protocol);
+ using bf = boost::beast::http::field;
+
+ std::string_view protocol =
+ req.getHeaderValue(bf::sec_websocket_protocol);
// Perform the websocket upgrade
ws.async_accept_ex(
@@ -83,9 +85,18 @@ template <typename Adaptor> class ConnectionImpl : public Connection
boost::beast::websocket::response_type& m) {
if (!protocol.empty())
{
- m.insert(boost::beast::http::field::sec_websocket_protocol,
- protocol);
+ m.insert(bf::sec_websocket_protocol, protocol);
}
+
+ m.insert(bf::strict_transport_security, "max-age=31536000; "
+ "includeSubdomains; "
+ "preload");
+ m.insert(bf::pragma, "no-cache");
+ m.insert(bf::cache_control, "no-Store,no-Cache");
+ m.insert("Content-Security-Policy", "default-src 'self'");
+ m.insert("X-XSS-Protection", "1; "
+ "mode=block");
+ m.insert("X-Content-Type-Options", "nosniff");
},
[this, self(shared_from_this())](boost::system::error_code ec) {
if (ec)
OpenPOWER on IntegriCloud