Add Content-Security-Policy(CSP) Level2 Directives

Content Security Policy Level2 directives as below, form-action set to 'none'-No form-submissions to external websites. frame-ancestors set to 'none' -Preventing framing attacks (clickjacking, cross-site leaks) plugin-types set to 'none' -Plugins are not allowed base-uri set to 'none' -protect against classical stored,reflected, and some of the DOM XSS attacks. More Information <https://cheatsheetseries.owasp.org/cheatsheets/ Content_Security_Policy_Cheat_Sheet.html> Tested : Checked the CSP level directives in Chrome/Firefox/Safari Browsers, webui and webui-vue. Change-Id: Id823958469fdbb02259fcc24c4e91789c65eec33 Signed-off-by: Basheer Ahmed Muddebihal <basheerx.muddebihal@intel.com>
author: Basheer Ahmed Muddebihal <basheerx.muddebihal@intel.com> 2021-03-17 10:55:57 +0300
committer: Ed Tanous <ed@tanous.net> 2021-04-14 20:13:20 +0300
commit: 09e7afdc5aad573dbdb21b523893f2ac02477686 (patch)
tree: fabe119c5fd0d853d08944baaa4fb69e0e128259 /include/security_headers.hpp
parent: 4642bf8f9dd78ec2990f7cd027d0efd3114e9e6d (diff)
download: bmcweb-09e7afdc5aad573dbdb21b523893f2ac02477686.tar.xz
1 files changed, 12 insertions, 3 deletions
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index e8cd37af31..6cf26898f6 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -30,10 +30,15 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
                                                  "font-src 'self'; "
                                                  "style-src 'self'; "
                                                  "script-src 'self'; "
-                                                 "connect-src 'self' wss:");
+                                                 "connect-src 'self' wss:; "
+                                                 "form-action 'none'; "
+                                                 "frame-ancestors 'none'; "
+                                                 "plugin-types 'none'; "
+                                                 "base-uri 'none' ");
         // The KVM currently needs to load images from base64 encoded
         // strings. img-src 'self' data: is used to allow that.
-        // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
+        // https://stackoverflow.com/questions/18447970/content-security-polic
+        // y-data-not-working-for-base64-images-in-chrome-28
     }
     else
     {
@@ -44,7 +49,11 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
                                                  "font-src *; "
                                                  "style-src *; "
                                                  "script-src *; "
-                                                 "connect-src *");
+                                                 "connect-src *; "
+                                                 "form-action *; "
+                                                 "frame-ancestors *; "
+                                                 "plugin-types *; "
+                                                 "base-uri *");
 
         const std::string_view origin = req.getHeaderValue("Origin");
         res.addHeader(bf::access_control_allow_origin, origin);
author	Basheer Ahmed Muddebihal <basheerx.muddebihal@intel.com>	2021-03-17 10:55:57 +0300
committer	Ed Tanous <ed@tanous.net>	2021-04-14 20:13:20 +0300
commit	09e7afdc5aad573dbdb21b523893f2ac02477686 (patch)
tree	fabe119c5fd0d853d08944baaa4fb69e0e128259 /include/security_headers.hpp
parent	4642bf8f9dd78ec2990f7cd027d0efd3114e9e6d (diff)
download	bmcweb-09e7afdc5aad573dbdb21b523893f2ac02477686.tar.xz