diff options
-rw-r--r-- | include/security_headers.hpp | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/include/security_headers.hpp b/include/security_headers.hpp index 9877bb0b1a..d99729f420 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -26,6 +26,50 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], "mode=block"); res.addHeader("X-Content-Type-Options", "nosniff"); + // Recommendations from https://owasp.org/www-project-secure-headers/ + // https://owasp.org/www-project-secure-headers/ci/headers_add.json + res.addHeader("Referrer-Policy", "no-referrer"); + res.addHeader("Permissions-Policy", "accelerometer=(), " + "ambient-light-sensor=(), " + "autoplay=(), " + "battery=(), " + "bluetooth=(), " + "camera=(), " + "ch-ua=(), " + "ch-ua-arch=(), " + "ch-ua-bitness=(), " + "ch-ua-full-version=(), " + "ch-ua-full-version-list=(), " + "ch-ua-mobile=(), " + "ch-ua-model=(), " + "ch-ua-platform=(), " + "ch-ua-platform-version=(), " + "ch-ua-wow64=(), " + "cross-origin-isolated=(), " + "display-capture=(), " + "encrypted-media=(), " + "execution-while-not-rendered=(), " + "execution-while-out-of-viewport=(), " + "fullscreen=(), " + "geolocation=(), " + "gyroscope=(), " + "hid=(), " + "idle-detection=(), " + "keyboard-map=(), " + "magnetometer=(), " + "microphone=(), " + "midi=(), " + "navigation-override=(), " + "payment=(), " + "picture-in-picture=(), " + "publickey-credentials-get=(), " + "screen-wake-lock=(), " + "serial=(), " + "sync-xhr=(), " + "usb=(self), " + "web-share=(), " + "xr-spatial-tracking2=()"); + if (bmcwebInsecureDisableXssPrevention == 0) { res.addHeader("Content-Security-Policy", "default-src 'none'; " |