diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2017-06-12 16:01:42 -0700 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2017-06-12 16:01:42 -0700 |
| commit | f3d847c9b91319220266695c726fdacbd1a860e8 (patch) | |
| tree | abdf28dcf03ebacb22c6948b153738aa17e5073e /include/security_headers_middleware.hpp | |
| parent | c9b5521eb8505c55784f1bb2743e7d8addb6e42e (diff) | |
| download | bmcweb-f3d847c9b91319220266695c726fdacbd1a860e8.tar.gz bmcweb-f3d847c9b91319220266695c726fdacbd1a860e8.zip | |
incremental
Diffstat (limited to 'include/security_headers_middleware.hpp')
| -rw-r--r-- | include/security_headers_middleware.hpp | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index 7e84543..19644f4 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -4,12 +4,45 @@ #include <crow/http_response.h> namespace crow { +static const std::string strict_transport_security_key = + "Strict-Transport-Security"; +static const std::string strict_transport_security_value = + "max-age=31536000; includeSubdomains; preload"; + +static const std::string ua_compatability_key = "X-UA-Compatible"; +static const std::string ua_compatability_value = "IE=11"; + +static const std::string xframe_key = "X-Frame-Options"; +static const std::string xframe_value = "DENY"; + +static const std::string xss_key = "X-XSS-Protection"; +static const std::string xss_value = "1; mode=block"; + +static const std::string content_security_key = "X-Content-Security-Policy"; +static const std::string content_security_value = "default-src 'self'"; + struct SecurityHeadersMiddleware { struct context {}; - void before_handle(crow::request& req, response& res, context& ctx); + void before_handle(crow::request& req, + response& res, + context& ctx) {} - void after_handle(request& req, response& res, context& ctx); + void after_handle(request& /*req*/, + response& res, + context& ctx) { + /* + TODO(ed) these should really check content types. for example, + X-UA-Compatible header doesn't make sense when retrieving a JSON or + javascript file. It doesn't hurt anything, it's just ugly. + */ + res.add_header(strict_transport_security_key, + strict_transport_security_value); + res.add_header(ua_compatability_key, ua_compatability_value); + res.add_header(xframe_key, xframe_value); + res.add_header(xss_key, xss_value); + res.add_header(content_security_key, content_security_value); + } }; }
\ No newline at end of file |
