From d8139c683a2f42c47ed913b731becc6cd681e2dd Mon Sep 17 00:00:00 2001 From: Ed Tanous Date: Wed, 14 Jun 2023 17:11:47 -0700 Subject: Update to owasp headers Change the Cache-Control header to what owasp recommends. Remove the X-XSS-Protection. This has been removed from Chrome, and is unimplemented in other browsers[1]. Add: X-Permitted-Cross-Domain-Policies Clear-Site-Data Cross-Origin-Embedder-Policy Cross-Origin-Opener-Policy Cross-Origin-Resource-Policy And set them to the OWASP recommended values. Tested: The OWASP Venom test suite now passes more tests. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection Change-Id: I2860041c1037f47bb85a6444cec66960d0aa55f9 Signed-off-by: Ed Tanous --- include/login_routes.hpp | 3 +- include/security_headers.hpp | 89 ++++++++++++++++++++------------------------ 2 files changed, 43 insertions(+), 49 deletions(-) diff --git a/include/login_routes.hpp b/include/login_routes.hpp index f2e9589f94..482b613ecf 100644 --- a/include/login_routes.hpp +++ b/include/login_routes.hpp @@ -235,7 +235,8 @@ inline void requestRoutes(App& app) "SESSION=" "; SameSite=Strict; Secure; HttpOnly; " "expires=Thu, 01 Jan 1970 00:00:00 GMT"); - + asyncResp->res.addHeader("Clear-Site-Data", + R"("cache","cookies","storage")"); persistent_data::SessionStore::getInstance().removeSession(session); } }); diff --git a/include/security_headers.hpp b/include/security_headers.hpp index d99729f420..9615f6548c 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -10,65 +10,58 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], { /* TODO(ed) these should really check content types. for example, - X-UA-Compatible header doesn't make sense when retrieving a JSON or + X-Content-Type-Options header doesn't make sense when retrieving a JSON or javascript file. It doesn't hurt anything, it's just ugly. */ using bf = boost::beast::http::field; + + // Recommendations from https://owasp.org/www-project-secure-headers/ + // https://owasp.org/www-project-secure-headers/ci/headers_add.json res.addHeader(bf::strict_transport_security, "max-age=31536000; " - "includeSubdomains; " - "preload"); + "includeSubdomains"); res.addHeader(bf::x_frame_options, "DENY"); res.addHeader(bf::pragma, "no-cache"); - res.addHeader(bf::cache_control, "no-Store,no-Cache"); + res.addHeader(bf::cache_control, "no-store, max-age=0"); - res.addHeader("X-XSS-Protection", "1; " - "mode=block"); res.addHeader("X-Content-Type-Options", "nosniff"); - // Recommendations from https://owasp.org/www-project-secure-headers/ - // https://owasp.org/www-project-secure-headers/ci/headers_add.json res.addHeader("Referrer-Policy", "no-referrer"); - res.addHeader("Permissions-Policy", "accelerometer=(), " - "ambient-light-sensor=(), " - "autoplay=(), " - "battery=(), " - "bluetooth=(), " - "camera=(), " - "ch-ua=(), " - "ch-ua-arch=(), " - "ch-ua-bitness=(), " - "ch-ua-full-version=(), " - "ch-ua-full-version-list=(), " - "ch-ua-mobile=(), " - "ch-ua-model=(), " - "ch-ua-platform=(), " - "ch-ua-platform-version=(), " - "ch-ua-wow64=(), " - "cross-origin-isolated=(), " - "display-capture=(), " - "encrypted-media=(), " - "execution-while-not-rendered=(), " - "execution-while-out-of-viewport=(), " - "fullscreen=(), " - "geolocation=(), " - "gyroscope=(), " - "hid=(), " - "idle-detection=(), " - "keyboard-map=(), " - "magnetometer=(), " - "microphone=(), " - "midi=(), " - "navigation-override=(), " - "payment=(), " - "picture-in-picture=(), " - "publickey-credentials-get=(), " - "screen-wake-lock=(), " - "serial=(), " - "sync-xhr=(), " - "usb=(self), " - "web-share=(), " - "xr-spatial-tracking2=()"); + res.addHeader("Permissions-Policy", "accelerometer=()," + "ambient-light-sensor=()," + "autoplay=()," + "battery=()," + "camera=()," + "display-capture=()," + "document-domain=()," + "encrypted-media=()," + "fullscreen=()," + "gamepad=()," + "geolocation=()," + "gyroscope=()," + "layout-animations=(self)," + "legacy-image-formats=(self)," + "magnetometer=()," + "microphone=()," + "midi=()," + "oversized-images=(self)," + "payment=()," + "picture-in-picture=()," + "publickey-credentials-get=()," + "speaker-selection=()" + "sync-xhr=(self)," + "unoptimized-images=(self)," + "unsized-media=(self)," + "usb=()," + "screen-wak-lock=()," + "web-share=()," + "xr-spatial-tracking=()"); + + res.addHeader("X-Permitted-Cross-Domain-Policies", "none"); + + res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); + res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); + res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); if (bmcwebInsecureDisableXssPrevention == 0) { -- cgit v1.2.3