diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2017-08-15 19:37:42 +0300 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2017-10-11 23:34:56 +0300 |
| commit | 911ac31759cb7b77a856af8806b4e064d50d7422 (patch) | |
| tree | c4b714fabb2b956936ab6dffc18d9ff418756cf4 /include/security_headers_middleware.hpp | |
| parent | 8f0c0481d2280919b38a31656ba21a4347d12620 (diff) | |
| download | bmcweb-911ac31759cb7b77a856af8806b4e064d50d7422.tar.xz | |
Large updates to webserver
Do not merge yet
Change-Id: I38c56844c1b0e3e8e5493c2705e62e6db7ee2102
Diffstat (limited to 'include/security_headers_middleware.hpp')
| -rw-r--r-- | include/security_headers_middleware.hpp | 34 |
1 files changed, 15 insertions, 19 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index 19644f45bd..e12395a553 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -4,34 +4,28 @@ #include <crow/http_response.h> namespace crow { -static const std::string strict_transport_security_key = - "Strict-Transport-Security"; -static const std::string strict_transport_security_value = +static const char* strict_transport_security_key = "Strict-Transport-Security"; +static const char* strict_transport_security_value = "max-age=31536000; includeSubdomains; preload"; -static const std::string ua_compatability_key = "X-UA-Compatible"; -static const std::string ua_compatability_value = "IE=11"; +static const char* ua_compatability_key = "X-UA-Compatible"; +static const char* ua_compatability_value = "IE=11"; -static const std::string xframe_key = "X-Frame-Options"; -static const std::string xframe_value = "DENY"; +static const char* xframe_key = "X-Frame-Options"; +static const char* xframe_value = "DENY"; -static const std::string xss_key = "X-XSS-Protection"; -static const std::string xss_value = "1; mode=block"; - -static const std::string content_security_key = "X-Content-Security-Policy"; -static const std::string content_security_value = "default-src 'self'"; +static const char* xss_key = "X-XSS-Protection"; +static const char* xss_value = "1; mode=block"; +static const char* content_security_key = "X-Content-Security-Policy"; +static const char* content_security_value = "default-src 'self'"; struct SecurityHeadersMiddleware { struct context {}; - void before_handle(crow::request& req, - response& res, - context& ctx) {} + void before_handle(crow::request& req, response& res, context& ctx) {} - void after_handle(request& /*req*/, - response& res, - context& ctx) { + void after_handle(request& req, response& res, context& ctx) { /* TODO(ed) these should really check content types. for example, X-UA-Compatible header doesn't make sense when retrieving a JSON or @@ -43,6 +37,8 @@ struct SecurityHeadersMiddleware { res.add_header(xframe_key, xframe_value); res.add_header(xss_key, xss_value); res.add_header(content_security_key, content_security_value); + res.add_header("Access-Control-Allow-Origin", "http://localhost:8085"); + res.add_header("Access-Control-Allow-Credentials", "true"); } }; -}
\ No newline at end of file +} // namespace crow |