diff options
author | Joseph Reynolds <joseph-reynolds@charter.net> | 2023-05-12 18:47:30 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2023-06-20 22:44:22 +0300 |
commit | 1d9502bb7f39144e01773253de69190c917b9bed (patch) | |
tree | e73cb15b376b5f92103d70dc0d25ef988885abf1 /include | |
parent | e96d7fbfe7f8e4ced88e960a66fca639234929c1 (diff) | |
download | bmcweb-1d9502bb7f39144e01773253de69190c917b9bed.tar.xz |
Add headers Referrer-Policy and Permissions-Policy
This adds HTTP response headers Referrer-Policy and Permissions-Policy per
OWASP guidelines, with some appropriate values for BMCWeb.
https://owasp.org/www-project-secure-headers/
Policies are given for all standardized feature. Most features are disabled
except for the following which the web application uses: usb=(self).
Tested: Yes
Via curl, confirmed headers are present.
On selected browsers, opened browser tools and confirmed browsers didn't
complain about the new headers. Browsers checked were:
- Firefox 111.0.1 (64-bit)
- Safari Version 16.4 (18615.1.26.11.23)
Did not test access to features secured by the Permissions-Policy.
Did not test if the web application features still work.
Change-Id: I65f89d2959b0b1338c20d7222229fbdc1d720834
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/security_headers.hpp | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/include/security_headers.hpp b/include/security_headers.hpp index 9877bb0b1a..d99729f420 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -26,6 +26,50 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], "mode=block"); res.addHeader("X-Content-Type-Options", "nosniff"); + // Recommendations from https://owasp.org/www-project-secure-headers/ + // https://owasp.org/www-project-secure-headers/ci/headers_add.json + res.addHeader("Referrer-Policy", "no-referrer"); + res.addHeader("Permissions-Policy", "accelerometer=(), " + "ambient-light-sensor=(), " + "autoplay=(), " + "battery=(), " + "bluetooth=(), " + "camera=(), " + "ch-ua=(), " + "ch-ua-arch=(), " + "ch-ua-bitness=(), " + "ch-ua-full-version=(), " + "ch-ua-full-version-list=(), " + "ch-ua-mobile=(), " + "ch-ua-model=(), " + "ch-ua-platform=(), " + "ch-ua-platform-version=(), " + "ch-ua-wow64=(), " + "cross-origin-isolated=(), " + "display-capture=(), " + "encrypted-media=(), " + "execution-while-not-rendered=(), " + "execution-while-out-of-viewport=(), " + "fullscreen=(), " + "geolocation=(), " + "gyroscope=(), " + "hid=(), " + "idle-detection=(), " + "keyboard-map=(), " + "magnetometer=(), " + "microphone=(), " + "midi=(), " + "navigation-override=(), " + "payment=(), " + "picture-in-picture=(), " + "publickey-credentials-get=(), " + "screen-wake-lock=(), " + "serial=(), " + "sync-xhr=(), " + "usb=(self), " + "web-share=(), " + "xr-spatial-tracking2=()"); + if (bmcwebInsecureDisableXssPrevention == 0) { res.addHeader("Content-Security-Policy", "default-src 'none'; " |