summaryrefslogtreecommitdiff
path: root/include/security_headers.hpp
AgeCommit message (Collapse)AuthorFilesLines
2024-04-27Add static webpack etag supportEd Tanous1-1/+4
Webpack (which is what vue uses to compress its HTML) is capable of generating hashes of files when it produces the dist files[1]. This gets generated in the form of <filename>.<hash>.<extension> This commit attempts to detect these patterns, and enable etag caching to speed up webui load times. It detects these patterns, grabs the hash for the file, and returns it in the Etag header[2]. The behavior is implemented such that: If the file has an etag, the etag header is returned. If the request has an If-None-Match header, and that header matches, only 304 is returned. Tested: Tests were run on qemu S7106 bmcweb with default error logging level, and HTTP/2 enabled, along with svg optimization patches. Run scripts/generate_auth_certificate.py to set up TLS certificates. (valid TLS certs are required for HTTP caching to work properly in some browsers). Load the webui. Note that DOM load takes 1.10 seconds, Load takes 1.10 seconds, and all requests return 200 OK. Refresh the GUI. Note that most resources now return 304, and DOM time is reduced to 279 milliseconds and load is reduced to 280 milliseconds. DOM load (which is what the BMC has control over) is decreased by a factor of 3-4X. Setting chrome to "Fast 5g" throttling in the network tab shows a more pronounced difference, 1.28S load time vs 3.96S. BMC also shows 477KB transferred on the wire, versus 2.3KB transferred on the wire. This has the potential to significantly reduce the load on the BMC when the webui refreshes. [1] https://webpack.js.org/guides/caching/ [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag Change-Id: I68aa7ef75533506d98e8fce10bb04a494dc49669 Signed-off-by: Ed Tanous <ed@tanous.net>
2024-04-23Remove XSS prevention codeEd Tanous1-46/+14
This feature was created for a time before webpack had a built in proxy, and to debug the UI required setting specific flags. The webpack proxy solves this problem in a much better way, by proxying everything. This commit is one piece in the solving a use after free bug. Removing this allows us to no longer have to cache the origin header [1], which is only used in this mode. Tested: Code compiles. [1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/70850 Change-Id: I01d67006e217c0c9fd2db7526c0ec34b0da068f3 Signed-off-by: Ed Tanous <ed@tanous.net>
2024-04-23Implement a Content-Security-Policy TODOEd Tanous1-83/+82
This TODO has been in bmcweb for a very long time. Implement it. W3 sets rules for what security policies apply to which content types[1]. Reading through this, essentially CSP should only apply to HTML files. Tested: Unit tests pass. Webui loads properly. Chrome network window Shows headers show up as expected. [1] https://www.w3.org/TR/CSP2/#which-policy-applies Change-Id: I5467d0373832668763c72a66da2a8872e07bfb58 Signed-off-by: Ed Tanous <ed@tanous.net>
2024-03-22Fix content-security-policy disableEd Tanous1-1/+1
If one sets the XSS policy disable, and tries to load the webui, they're met with the following error message: ``` chunk-vendors.6cfb4b74.js:36 Refused to load the image 'data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5'%3E%3Cpath fill='%233f3f3f' d='M2 0L0 2h4zm0 5L0 3h4z'/%3E%3C/svg%3E' because it violates the following Content Security Policy directive: "img-src *". Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme 'data:' must be added explicitly. ``` Do as it asks, and add data: to the content security policy. Tested: Browser console no longer shows error when XSS is enabled. Change-Id: I17f70d7c87a284b33ef6eb5a01a01c23a14898c9 Signed-off-by: Ed Tanous <ed@tanous.net>
2023-12-05Unit test ConnectionEd Tanous1-3/+0
Boost asio provides a test stream object that we can use to begin unit testing the connection object. This patchset uses it to re-enable some simple http1.1 tests. There's some features that have snuck into the connection class that aren't compatible with a stream (like ip address getting), so unfortunately we do need the connection class to be aware if it's in test mode, but that tradeoff seems worthwhile. Tested: Unit test pass. Change-Id: Id8b1f8866582b58502dbafe6139f841bf64b8ef3 Signed-off-by: Ed Tanous <edtanous@google.com>
2023-08-16Add missing comma in Permissions-PolicyJoseph Reynolds1-1/+1
This adds a missing comma in the Permissions-Policy response header value. Tested: no; I didn't even try to compile it. Change-Id: I4f08b54a5e5af040e10a95d913ef8b457f5bd457 Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
2023-06-29Update to owasp headersEd Tanous1-48/+41
Change the Cache-Control header to what owasp recommends. Remove the X-XSS-Protection. This has been removed from Chrome, and is unimplemented in other browsers[1]. Add: X-Permitted-Cross-Domain-Policies Clear-Site-Data Cross-Origin-Embedder-Policy Cross-Origin-Opener-Policy Cross-Origin-Resource-Policy And set them to the OWASP recommended values. Tested: The OWASP Venom test suite now passes more tests. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection Change-Id: I2860041c1037f47bb85a6444cec66960d0aa55f9 Signed-off-by: Ed Tanous <edtanous@google.com>
2023-06-20Add headers Referrer-Policy and Permissions-PolicyJoseph Reynolds1-0/+44
This adds HTTP response headers Referrer-Policy and Permissions-Policy per OWASP guidelines, with some appropriate values for BMCWeb. https://owasp.org/www-project-secure-headers/ Policies are given for all standardized feature. Most features are disabled except for the following which the web application uses: usb=(self). Tested: Yes Via curl, confirmed headers are present. On selected browsers, opened browser tools and confirmed browsers didn't complain about the new headers. Browsers checked were: - Firefox 111.0.1 (64-bit) - Safari Version 16.4 (18615.1.26.11.23) Did not test access to features secured by the Permissions-Policy. Did not test if the web application features still work. Change-Id: I65f89d2959b0b1338c20d7222229fbdc1d720834 Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
2023-02-24Pass string views by valueEd Tanous1-1/+1
string_view should always be passed by value; This commit is a sed replace of the code to make all string_views pass by value, per general coding guidelines[1]. [1] https://quuxplusone.github.io/blog/2021/11/09/pass-string-view-by-value/ Tested: Code compiles. Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I55b342a29a0fbfce0a4ed9ea63db6014d03b134c
2023-01-18Fix a boatload of #includesEd Tanous1-2/+3
Most of these missing includes were found by running clang-tidy on all files, including headers. The existing scripts just run clang-tidy on source files, which doesn't catch most of these. Tested: Code compiles Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: Ic741fbb2cc9e5e92955fd5a1b778a482830e80e8
2022-03-21Replace CSP plugin-types directive with object-srcJiaqing Zhao1-2/+2
The HTTP Content-Security-Policy (CSP) plugin-types directive has been removed from the specification and is not supported by most browsers. Chrome browser suggests to specify "object-src 'none'" instead to block plugins, so replace it with that directive. Refer https://github.com/w3c/webappsec-csp/issues/394 for details about this change. Tested: * In Chrome 99.0.4844.74, it no longer gives errors about CSP plugin-types directive. * Checked neiter <embed>, <object> or <applet> tags are used in eiter phosphor-webui or webui-vue. * Using webui-vue, KVM and SOL Console works. Change-Id: I79d7ed1de2c4d204bf040e7b32a7b6afe354862c Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
2022-02-15Enable readability-implicit-bool-conversion checksEd Tanous1-1/+1
These checks ensure that we're not implicitly converting ints or pointers into bools, which makes the code easier to read. Tested: Ran series through redfish service validator. No changes observed. UUID failing in Qemu both before and after. Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I1ca0be980d136bd4e5474341f4fd62f2f6bbdbae
2021-06-22Fix include what you use in bmcweb_config.hEd Tanous1-0/+2
As part of rearranging include files, it was found that a couple files don't include what they use. bmcweb_config.h.in uses size_t, which isn't in cstdint, and a couple files use variables out of bmcweb_config.h, which it didn't include. Tested: Code compiles; No functional changes. Signed-off-by: Ed Tanous <edtanous@google.com> Change-Id: I6d8f3617d10a30a1f0209e492841e9d3adc9c3f3
2021-04-14Add Content-Security-Policy(CSP) Level2 DirectivesBasheer Ahmed Muddebihal1-3/+12
Content Security Policy Level2 directives as below, form-action set to 'none'-No form-submissions to external websites. frame-ancestors set to 'none' -Preventing framing attacks (clickjacking, cross-site leaks) plugin-types set to 'none' -Plugins are not allowed base-uri set to 'none' -protect against classical stored,reflected, and some of the DOM XSS attacks. More Information <https://cheatsheetseries.owasp.org/cheatsheets/ Content_Security_Policy_Cheat_Sheet.html> Tested : Checked the CSP level directives in Chrome/Firefox/Safari Browsers, webui and webui-vue. Change-Id: Id823958469fdbb02259fcc24c4e91789c65eec33 Signed-off-by: Basheer Ahmed Muddebihal <basheerx.muddebihal@intel.com>
2021-03-09Fix KVM issue on DISABLE_XSS_PREVENTIONArun P. Mohanan1-1/+1
Fix KVM failed to load images issue introduced by incorrect condition updated by commit 0260d9d6b252d5fef81a51d4797e27a6893827f4. Tested: KVM loaded images successfully Signed-off-by: Arun P. Mohanan <arun.p.m@linux.intel.com> Change-Id: Ib753ed1d56ce2e0a9228ca52e36ffab298d21cff
2021-02-19Fix compile issue on DISABLE_XSS_PREVENTIONEd Tanous1-37/+39
Fixes #178 Every few months, this option breaks because of some combination of compiler options. I'm hoping that this is a more permenant fix, and will keep it working forever. Functionally, this commit changes a couple things. 1. It fixes the regression that snuck into this option, by making the req variable optional using the c++17 [[maybe_unused]] syntax. 2. It promotes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION into the config.h file, and a constexpr variable rather than a #define. This has the benefit that both the code paths in question will compiled regardless of whether or not they're used, thus ensuring they stay buildable forever. The optimization path will still delete the code later, but we won't have so many one-off build options breaking. We should move all the other feature driven #ifdefs to this pattern in the future. 3. As a mechnaical change to #2, this adds a config.h.in, which delcares the various variables as their respective constexpr types. This allows the constants to be used in a cleaner way. As an aside, at some point, DISABLE_XSS_PREVENTION should really move to a non-persistent runtime option rather than a compile time option. Too many people get hung up on having to recompile their BMC, and moving it to runtime under admin credentials is no more a security risk. As another aside, we should move all the other #ifdef style options to this pattern. It seems like it would help with keeping all options buildable, and is definitely more modern than #ifdefs for features, especially if they don't require #include changes or linker changes. Tested: enabled meson option insecure-disable-xss, and verified code builds and works again. Change-Id: Id03faa17cffdbabaf4e5b0d46b24bb58b7f44669 Signed-off-by: Ed Tanous <edtanous@google.com>
2020-10-23fix include namesEd Tanous1-1/+1
cppcheck isn't smart enough to recognize these are c++ headers, not c headers. Considering we're already inconsistent about our naming, it's easier to just be consistent, and move the last few files to use .hpp instead of .h. Tested: Code builds, no changes. Signed-off-by: Ed Tanous <ed@tanous.net> Change-Id: Ic348d695f8527fa4a0ded53f433e1558c319db40
2020-08-17Remove middlewaresEd Tanous1-0/+61
Middlewares, while kinda cool from an academic standpoint, make our build times even worse than they already are. Given that we only really use 1 real middleware today (token auth) and it needs to move into the parser mode anyway (for security limiting buffer sizes), we might as well use this as an opportunity to delete some code. Some other things that happen: 1. Persistent data now moves out of the crow namespace 2. App is no longer a template 3. All request_routes implementations no longer become templates. This should be a decent (unmeasured) win on compile times. This commit was part of a commit previously called "various cleanups". This separates ONLY the middleware deletion part of that. Note, this also deletes about 400 lines of hard to understand code. Change-Id: I4c19e25491a153a2aa2e4ef46fc797bcb5b3581a Signed-off-by: Ed Tanous <ed@tanous.net>