diff options
author | Basheer Ahmed Muddebihal <basheerx.muddebihal@intel.com> | 2021-03-17 10:55:57 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2021-04-14 20:13:20 +0300 |
commit | 09e7afdc5aad573dbdb21b523893f2ac02477686 (patch) | |
tree | fabe119c5fd0d853d08944baaa4fb69e0e128259 /include/security_headers.hpp | |
parent | 4642bf8f9dd78ec2990f7cd027d0efd3114e9e6d (diff) | |
download | bmcweb-09e7afdc5aad573dbdb21b523893f2ac02477686.tar.xz |
Add Content-Security-Policy(CSP) Level2 Directives
Content Security Policy Level2 directives as below,
form-action set to 'none'-No form-submissions to external websites.
frame-ancestors set to 'none' -Preventing framing attacks
(clickjacking, cross-site leaks)
plugin-types set to 'none' -Plugins are not allowed
base-uri set to 'none' -protect against classical stored,reflected,
and some of the DOM XSS attacks.
More Information
<https://cheatsheetseries.owasp.org/cheatsheets/
Content_Security_Policy_Cheat_Sheet.html>
Tested :
Checked the CSP level directives in Chrome/Firefox/Safari Browsers,
webui and webui-vue.
Change-Id: Id823958469fdbb02259fcc24c4e91789c65eec33
Signed-off-by: Basheer Ahmed Muddebihal <basheerx.muddebihal@intel.com>
Diffstat (limited to 'include/security_headers.hpp')
-rw-r--r-- | include/security_headers.hpp | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/include/security_headers.hpp b/include/security_headers.hpp index e8cd37af31..6cf26898f6 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -30,10 +30,15 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], "font-src 'self'; " "style-src 'self'; " "script-src 'self'; " - "connect-src 'self' wss:"); + "connect-src 'self' wss:; " + "form-action 'none'; " + "frame-ancestors 'none'; " + "plugin-types 'none'; " + "base-uri 'none' "); // The KVM currently needs to load images from base64 encoded // strings. img-src 'self' data: is used to allow that. - // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 + // https://stackoverflow.com/questions/18447970/content-security-polic + // y-data-not-working-for-base64-images-in-chrome-28 } else { @@ -44,7 +49,11 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], "font-src *; " "style-src *; " "script-src *; " - "connect-src *"); + "connect-src *; " + "form-action *; " + "frame-ancestors *; " + "plugin-types *; " + "base-uri *"); const std::string_view origin = req.getHeaderValue("Origin"); res.addHeader(bf::access_control_allow_origin, origin); |