diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-05-23 00:28:16 +0300 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2019-05-30 00:16:49 +0300 |
| commit | fe5b216f3bd0dde507aeedd4f5ad7b001dc6de04 (patch) | |
| tree | 82eb8426e3d4f3d5e2d71ededf22e84782d6b47f /crow | |
| parent | 489640c6e8db3d1aa999cd9429e41329cf22cd47 (diff) | |
| download | bmcweb-fe5b216f3bd0dde507aeedd4f5ad7b001dc6de04.tar.xz | |
Add security headers to websockets
websocket connections are by definition temporal, and cannot be cached.
Unfortunately, certain security scanners don't see it that way, and flag
errors on lack of CSP, XSS, and Content-Type headers when giving a
websocket upgrade response.
This commit adds the:
Strict-Transport-Security
Pragma
Cache-Control
Content-security-policy
X-XSS-Protection
X-Content-Type-Options
Headers to the response when an upgrade occurs, to make the security
scanners happy.
Tested:
Opened the main application, obseved the /subscribe api.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: If76dc54f6501b3eb2caf44913d254a8b32d3fd30
Diffstat (limited to 'crow')
| -rw-r--r-- | crow/include/crow/websocket.h | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/crow/include/crow/websocket.h b/crow/include/crow/websocket.h index f46147743a..301f39434c 100644 --- a/crow/include/crow/websocket.h +++ b/crow/include/crow/websocket.h @@ -73,8 +73,10 @@ template <typename Adaptor> class ConnectionImpl : public Connection { BMCWEB_LOG_DEBUG << "starting connection " << this; - std::string_view protocol = req.getHeaderValue( - boost::beast::http::field::sec_websocket_protocol); + using bf = boost::beast::http::field; + + std::string_view protocol = + req.getHeaderValue(bf::sec_websocket_protocol); // Perform the websocket upgrade ws.async_accept_ex( @@ -83,9 +85,18 @@ template <typename Adaptor> class ConnectionImpl : public Connection boost::beast::websocket::response_type& m) { if (!protocol.empty()) { - m.insert(boost::beast::http::field::sec_websocket_protocol, - protocol); + m.insert(bf::sec_websocket_protocol, protocol); } + + m.insert(bf::strict_transport_security, "max-age=31536000; " + "includeSubdomains; " + "preload"); + m.insert(bf::pragma, "no-cache"); + m.insert(bf::cache_control, "no-Store,no-Cache"); + m.insert("Content-Security-Policy", "default-src 'self'"); + m.insert("X-XSS-Protection", "1; " + "mode=block"); + m.insert("X-Content-Type-Options", "nosniff"); }, [this, self(shared_from_this())](boost::system::error_code ec) { if (ec) |