diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-05-22 14:28:16 -0700 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2019-05-29 21:16:49 +0000 |
| commit | fe5b216f3bd0dde507aeedd4f5ad7b001dc6de04 (patch) | |
| tree | 82eb8426e3d4f3d5e2d71ededf22e84782d6b47f | |
| parent | 489640c6e8db3d1aa999cd9429e41329cf22cd47 (diff) | |
| download | bmcweb-fe5b216f3bd0dde507aeedd4f5ad7b001dc6de04.tar.gz bmcweb-fe5b216f3bd0dde507aeedd4f5ad7b001dc6de04.zip | |
Add security headers to websockets
websocket connections are by definition temporal, and cannot be cached.
Unfortunately, certain security scanners don't see it that way, and flag
errors on lack of CSP, XSS, and Content-Type headers when giving a
websocket upgrade response.
This commit adds the:
Strict-Transport-Security
Pragma
Cache-Control
Content-security-policy
X-XSS-Protection
X-Content-Type-Options
Headers to the response when an upgrade occurs, to make the security
scanners happy.
Tested:
Opened the main application, obseved the /subscribe api.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: If76dc54f6501b3eb2caf44913d254a8b32d3fd30
| -rw-r--r-- | crow/include/crow/websocket.h | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/crow/include/crow/websocket.h b/crow/include/crow/websocket.h index f461477..301f394 100644 --- a/crow/include/crow/websocket.h +++ b/crow/include/crow/websocket.h @@ -73,8 +73,10 @@ template <typename Adaptor> class ConnectionImpl : public Connection { BMCWEB_LOG_DEBUG << "starting connection " << this; - std::string_view protocol = req.getHeaderValue( - boost::beast::http::field::sec_websocket_protocol); + using bf = boost::beast::http::field; + + std::string_view protocol = + req.getHeaderValue(bf::sec_websocket_protocol); // Perform the websocket upgrade ws.async_accept_ex( @@ -83,9 +85,18 @@ template <typename Adaptor> class ConnectionImpl : public Connection boost::beast::websocket::response_type& m) { if (!protocol.empty()) { - m.insert(boost::beast::http::field::sec_websocket_protocol, - protocol); + m.insert(bf::sec_websocket_protocol, protocol); } + + m.insert(bf::strict_transport_security, "max-age=31536000; " + "includeSubdomains; " + "preload"); + m.insert(bf::pragma, "no-cache"); + m.insert(bf::cache_control, "no-Store,no-Cache"); + m.insert("Content-Security-Policy", "default-src 'self'"); + m.insert("X-XSS-Protection", "1; " + "mode=block"); + m.insert("X-Content-Type-Options", "nosniff"); }, [this, self(shared_from_this())](boost::system::error_code ec) { if (ec) |

