diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-08-21 22:50:42 +0300 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2019-08-29 19:15:21 +0300 |
| commit | e6de21ad051f226e746f6a522796ef0dace2660b (patch) | |
| tree | 11ed38438cdfc9da41d7438774d63659bfaed03c | |
| parent | bc48a175d5cf0b0426a72730e9542042532959cc (diff) | |
| download | bmcweb-e6de21ad051f226e746f6a522796ef0dace2660b.tar.xz | |
Improve the security headers
This patchset consists of two primary changes.
1. Content-Security-Policy is adjusted such that the "default" allowed
source is none, then we explicitly enable the few features we actually
use by setting them to self
2. Updates the XSS variables to simply forward back the hostname given
in the AccessControlAllowOrigin flag, which means that webpack dev
server could be running on any port.
Tested:
Tested IE11, Edge, Firefox, and Chrome for CSP errors. Firefox flags
one error that doesn't seem to effect the webui. All other browsers
load without issue.
Tested launching webpack-dev-server with XSS settings enabled.
Launches without warning on any port
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: Id38f607917d19b0106c4c7708c764c45b646891e
| -rw-r--r-- | include/security_headers_middleware.hpp | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index 1ebc43ca7a..83df24c194 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -37,19 +37,23 @@ struct SecurityHeadersMiddleware res.addHeader(bf::pragma, "no-cache"); res.addHeader(bf::cache_control, "no-Store,no-Cache"); - // The KVM currently needs to load images from base64 encoded strings. - // img-src 'self' data: is used to allow that. + res.addHeader("Content-Security-Policy", "default-src 'none'; " + "img-src 'self' data:; " + "font-src 'self'; " + "style-src 'self'; " + "script-src 'self'; " + "connect-src 'self' wss:"); + // The KVM currently needs to load images from base64 encoded + // strings. img-src 'self' data: is used to allow that. // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 - res.addHeader("Content-Security-Policy", - "default-src 'self'; img-src 'self' data:"); + res.addHeader("X-XSS-Protection", "1; " "mode=block"); res.addHeader("X-Content-Type-Options", "nosniff"); - res.addHeader("X-UA-Compatible", "IE=11"); #ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION - - res.addHeader(bf::access_control_allow_origin, "http://localhost:8080"); + res.addHeader(bf::access_control_allow_origin, + req.getHeaderValue("Origin")); res.addHeader(bf::access_control_allow_methods, "GET, " "POST, " "PUT, " |