diff options
Diffstat (limited to 'include/security_headers_middleware.hpp')
-rw-r--r-- | include/security_headers_middleware.hpp | 34 |
1 files changed, 15 insertions, 19 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index 19644f45bd..e12395a553 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -4,34 +4,28 @@ #include <crow/http_response.h> namespace crow { -static const std::string strict_transport_security_key = - "Strict-Transport-Security"; -static const std::string strict_transport_security_value = +static const char* strict_transport_security_key = "Strict-Transport-Security"; +static const char* strict_transport_security_value = "max-age=31536000; includeSubdomains; preload"; -static const std::string ua_compatability_key = "X-UA-Compatible"; -static const std::string ua_compatability_value = "IE=11"; +static const char* ua_compatability_key = "X-UA-Compatible"; +static const char* ua_compatability_value = "IE=11"; -static const std::string xframe_key = "X-Frame-Options"; -static const std::string xframe_value = "DENY"; +static const char* xframe_key = "X-Frame-Options"; +static const char* xframe_value = "DENY"; -static const std::string xss_key = "X-XSS-Protection"; -static const std::string xss_value = "1; mode=block"; - -static const std::string content_security_key = "X-Content-Security-Policy"; -static const std::string content_security_value = "default-src 'self'"; +static const char* xss_key = "X-XSS-Protection"; +static const char* xss_value = "1; mode=block"; +static const char* content_security_key = "X-Content-Security-Policy"; +static const char* content_security_value = "default-src 'self'"; struct SecurityHeadersMiddleware { struct context {}; - void before_handle(crow::request& req, - response& res, - context& ctx) {} + void before_handle(crow::request& req, response& res, context& ctx) {} - void after_handle(request& /*req*/, - response& res, - context& ctx) { + void after_handle(request& req, response& res, context& ctx) { /* TODO(ed) these should really check content types. for example, X-UA-Compatible header doesn't make sense when retrieving a JSON or @@ -43,6 +37,8 @@ struct SecurityHeadersMiddleware { res.add_header(xframe_key, xframe_value); res.add_header(xss_key, xss_value); res.add_header(content_security_key, content_security_value); + res.add_header("Access-Control-Allow-Origin", "http://localhost:8085"); + res.add_header("Access-Control-Allow-Credentials", "true"); } }; -}
\ No newline at end of file +} // namespace crow |