diff options
author | Ed Tanous <edtanous@google.com> | 2023-06-15 03:11:47 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2023-06-29 18:49:24 +0300 |
commit | d8139c683a2f42c47ed913b731becc6cd681e2dd (patch) | |
tree | f0f628938a887351a41e03130331e02e39e2e95f /include/security_headers.hpp | |
parent | 9dcfe8c1ca70f8ff260aa5613f787d5fa3e7c45d (diff) | |
download | bmcweb-d8139c683a2f42c47ed913b731becc6cd681e2dd.tar.xz |
Update to owasp headers
Change the Cache-Control header to what owasp recommends.
Remove the X-XSS-Protection. This has been removed from Chrome, and is
unimplemented in other browsers[1].
Add:
X-Permitted-Cross-Domain-Policies
Clear-Site-Data
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
And set them to the OWASP recommended values.
Tested: The OWASP Venom test suite now passes more tests.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Change-Id: I2860041c1037f47bb85a6444cec66960d0aa55f9
Signed-off-by: Ed Tanous <edtanous@google.com>
Diffstat (limited to 'include/security_headers.hpp')
-rw-r--r-- | include/security_headers.hpp | 89 |
1 files changed, 41 insertions, 48 deletions
diff --git a/include/security_headers.hpp b/include/security_headers.hpp index d99729f420..9615f6548c 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -10,65 +10,58 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], { /* TODO(ed) these should really check content types. for example, - X-UA-Compatible header doesn't make sense when retrieving a JSON or + X-Content-Type-Options header doesn't make sense when retrieving a JSON or javascript file. It doesn't hurt anything, it's just ugly. */ using bf = boost::beast::http::field; + + // Recommendations from https://owasp.org/www-project-secure-headers/ + // https://owasp.org/www-project-secure-headers/ci/headers_add.json res.addHeader(bf::strict_transport_security, "max-age=31536000; " - "includeSubdomains; " - "preload"); + "includeSubdomains"); res.addHeader(bf::x_frame_options, "DENY"); res.addHeader(bf::pragma, "no-cache"); - res.addHeader(bf::cache_control, "no-Store,no-Cache"); + res.addHeader(bf::cache_control, "no-store, max-age=0"); - res.addHeader("X-XSS-Protection", "1; " - "mode=block"); res.addHeader("X-Content-Type-Options", "nosniff"); - // Recommendations from https://owasp.org/www-project-secure-headers/ - // https://owasp.org/www-project-secure-headers/ci/headers_add.json res.addHeader("Referrer-Policy", "no-referrer"); - res.addHeader("Permissions-Policy", "accelerometer=(), " - "ambient-light-sensor=(), " - "autoplay=(), " - "battery=(), " - "bluetooth=(), " - "camera=(), " - "ch-ua=(), " - "ch-ua-arch=(), " - "ch-ua-bitness=(), " - "ch-ua-full-version=(), " - "ch-ua-full-version-list=(), " - "ch-ua-mobile=(), " - "ch-ua-model=(), " - "ch-ua-platform=(), " - "ch-ua-platform-version=(), " - "ch-ua-wow64=(), " - "cross-origin-isolated=(), " - "display-capture=(), " - "encrypted-media=(), " - "execution-while-not-rendered=(), " - "execution-while-out-of-viewport=(), " - "fullscreen=(), " - "geolocation=(), " - "gyroscope=(), " - "hid=(), " - "idle-detection=(), " - "keyboard-map=(), " - "magnetometer=(), " - "microphone=(), " - "midi=(), " - "navigation-override=(), " - "payment=(), " - "picture-in-picture=(), " - "publickey-credentials-get=(), " - "screen-wake-lock=(), " - "serial=(), " - "sync-xhr=(), " - "usb=(self), " - "web-share=(), " - "xr-spatial-tracking2=()"); + res.addHeader("Permissions-Policy", "accelerometer=()," + "ambient-light-sensor=()," + "autoplay=()," + "battery=()," + "camera=()," + "display-capture=()," + "document-domain=()," + "encrypted-media=()," + "fullscreen=()," + "gamepad=()," + "geolocation=()," + "gyroscope=()," + "layout-animations=(self)," + "legacy-image-formats=(self)," + "magnetometer=()," + "microphone=()," + "midi=()," + "oversized-images=(self)," + "payment=()," + "picture-in-picture=()," + "publickey-credentials-get=()," + "speaker-selection=()" + "sync-xhr=(self)," + "unoptimized-images=(self)," + "unsized-media=(self)," + "usb=()," + "screen-wak-lock=()," + "web-share=()," + "xr-spatial-tracking=()"); + + res.addHeader("X-Permitted-Cross-Domain-Policies", "none"); + + res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); + res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); + res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); if (bmcwebInsecureDisableXssPrevention == 0) { |