summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/security_headers_middleware.hpp22
1 files changed, 16 insertions, 6 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index 83df24c194..a89acaa603 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp
@@ -37,6 +37,11 @@ struct SecurityHeadersMiddleware
res.addHeader(bf::pragma, "no-cache");
res.addHeader(bf::cache_control, "no-Store,no-Cache");
+ res.addHeader("X-XSS-Protection", "1; "
+ "mode=block");
+ res.addHeader("X-Content-Type-Options", "nosniff");
+
+#ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
res.addHeader("Content-Security-Policy", "default-src 'none'; "
"img-src 'self' data:; "
"font-src 'self'; "
@@ -47,13 +52,18 @@ struct SecurityHeadersMiddleware
// strings. img-src 'self' data: is used to allow that.
// https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
- res.addHeader("X-XSS-Protection", "1; "
- "mode=block");
- res.addHeader("X-Content-Type-Options", "nosniff");
+#else
+ // If XSS is disabled, we need to allow loading from addresses other
+ // than self, as the BMC will be hosted elsewhere.
+ res.addHeader("Content-Security-Policy", "default-src 'none'; "
+ "img-src *; "
+ "font-src *; "
+ "style-src *; "
+ "script-src *; "
+ "connect-src *");
-#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
- res.addHeader(bf::access_control_allow_origin,
- req.getHeaderValue("Origin"));
+ const std::string_view origin = req.getHeaderValue("Origin");
+ res.addHeader(bf::access_control_allow_origin, origin);
res.addHeader(bf::access_control_allow_methods, "GET, "
"POST, "
"PUT, "
generated by cgit v1.2.3 (git 2.39.0) at 2024-09-30 13:53:15 +0300