feat: helmet: add allow methods, drop experiment with hsts.

Signed-off-by: Amlal El Mahrouss <amlal@nekernel.org>

Author: amlel-el-mahrouss

include/boost/http_proto/server/helmet.hpp

@@ -290,7 +290,7 @@ class helmet
             @return A reference to this object for chaining.
         */
         BOOST_HTTP_PROTO_DECL
-        csp_policy& set(const core::string_view& allow,
+        csp_policy& allow(const core::string_view& allow,
                                 const csp_type& type);
 
         /** Remove a CSP directive.
@@ -314,161 +314,37 @@ class helmet
             @throws std::invalid_argument if parameters are empty.
         */
         BOOST_HTTP_PROTO_DECL
-        csp_policy& set(const core::string_view& allow,
+        csp_policy& allow(const core::string_view& allow,
                                 const urls::url_view& source);
     };
 };
 
-/** Return X-Download-Options header configuration.
-
-    Controls file download behavior in Internet Explorer 8+.
-
-    @param type The download restriction type.
-
-    @return Header name and value pair.
-*/
 option_pair x_download_options(const helmet_download_type& type);
 
-/** Return X-Frame-Options header configuration.
-
-    Prevents clickjacking attacks by controlling frame embedding.
-
-    @param origin The frame embedding policy.
-
-    @return Header name and value pair.
-*/
 option_pair x_frame_origin(const helmet_origin_type& origin);
 
-/** Return X-XSS-Protection header configuration.
-
-    Disables legacy XSS filtering which can create vulnerabilities.
-    Modern browsers rely on CSP instead.
-
-    @return Header name and value pair (always "0").
-*/
 option_pair x_xss_protection();
 
-/** Return X-Content-Type-Options header configuration.
-
-    Prevents MIME-type sniffing attacks.
-
-    @return Header name and value pair (always "nosniff").
-*/
 option_pair x_content_type_options();
 
-/** Return Content-Security-Policy header configuration.
-
-    Configures CSP to prevent XSS and data injection attacks.
-
-    @param sp The CSP policy with directives.
-
-    @return Header name and value pair.
-
-    @throws std::invalid_argument if the policy is empty.
-*/
 option_pair content_security_policy(const helmet::csp_policy& sp);
 
-/** Return Strict-Transport-Security header configuration.
-
-    Enforces HTTPS connections to prevent downgrade attacks.
-
-    @param options HSTS configuration parameters.
-
-    @return Header name and value pair.
-*/
-template <const std::size_t Age, const bool IncludeDomains = true, const bool Preload = true>
-inline option_pair strict_transport_security()
-{
-    std::string value = "max-age=" + std::to_string(Age);
-
-    if constexpr (IncludeDomains)
-    {
-        value += "; includeSubDomains";
-    }
-
-    if constexpr (Preload)
-    {
-        value += "; preload";
-    }
-
-    return {"Strict-Transport-Security", {value}};
-}
-
-/** Return Cross-Origin-Opener-Policy header configuration.
-
-    Controls cross-origin window isolation.
-
-    @param policy The COOP policy type.
+option_pair strict_transport_security(const std::size_t age, const bool include_domains = true, const bool preload = false);
 
-    @return Header name and value pair.
-*/
 option_pair cross_origin_opener_policy(const coop_policy_type& policy = coop_policy_type::same_origin);
 
-/** Return Cross-Origin-Resource-Policy header configuration.
-
-    Controls cross-origin resource sharing.
-
-    @param policy The CORP policy type.
-
-    @return Header name and value pair.
-*/
 option_pair cross_origin_resource_policy(const corp_policy_type& policy = corp_policy_type::same_origin);
 
-/** Return Cross-Origin-Embedder-Policy header configuration.
-
-    Controls embedding of cross-origin resources.
-
-    @param policy The COEP policy type.
-
-    @return Header name and value pair.
-*/
 option_pair cross_origin_embedder_policy(const coep_policy_type& policy = coep_policy_type::require_corp);
 
-/** Return Referrer-Policy header configuration.
-
-    Controls how much referrer information is sent with requests.
-
-    @param policy The referrer policy type.
-
-    @return Header name and value pair.
-*/
 option_pair referrer_policy(const referrer_policy_type& policy = referrer_policy_type::no_referrer);
 
-/** Return Origin-Agent-Cluster header configuration.
-
-    Requests origin-keyed agent clusters for better isolation.
-
-    @return Header name and value pair (always "?1").
-*/
 option_pair origin_agent_cluster();
 
-/** Return X-DNS-Prefetch-Control header configuration.
-
-    Controls DNS prefetching to balance performance and privacy.
-
-    @param allow Whether to enable DNS prefetching.
-
-    @return Header name and value pair.
-*/
 option_pair dns_prefetch_control(bool allow = false);
 
-/** Return X-Permitted-Cross-Domain-Policies header configuration.
-
-    Controls cross-domain policy files for Flash and Adobe Acrobat.
-
-    @param policy The cross-domain policy type.
-
-    @return Header name and value pair.
-*/
 option_pair permitted_cross_domain_policies(const cross_domain_policy_type& policy = cross_domain_policy_type::none);
 
-/** Return configuration to remove X-Powered-By header.
-
-    Removes the X-Powered-By header to avoid revealing
-    server technology details.
-
-    @return Header name with empty value (triggers removal).
-*/
 option_pair hide_powered_by();
 
 }

src/server/helmet.cpp

@@ -42,7 +42,7 @@ helmet_options::helmet_options()
     this->set(x_frame_origin(helmet_origin_type::deny));
     this->set(x_xss_protection());
     this->set(x_content_type_options());
-    this->set(strict_transport_security<hsts::default_age, hsts::include_subdomains, hsts::preload>());
+    this->set(strict_transport_security(hsts::default_age, hsts::include_subdomains, hsts::preload));
     this->set(cross_origin_opener_policy());
     this->set(cross_origin_resource_policy());
     this->set(origin_agent_cluster());
@@ -143,7 +143,7 @@ operator()(
     return route::next;
 }
 
-helmet::csp_policy& helmet::csp_policy::set(const core::string_view& allow, 
+helmet::csp_policy& helmet::csp_policy::allow(const core::string_view& allow, 
                             const urls::url_view& source)
 {
     if (!source.scheme().starts_with("http"))
@@ -176,7 +176,7 @@ helmet::csp_policy& helmet::csp_policy::set(const core::string_view& allow,
     return *this;
 }
 
-helmet::csp_policy& helmet::csp_policy::set(const core::string_view& allow, const csp_type& type)
+helmet::csp_policy& helmet::csp_policy::allow(const core::string_view& allow, const csp_type& type)
 {
     if (allow.empty())
         detail::throw_invalid_argument();
@@ -373,6 +373,23 @@ option_pair cross_origin_embedder_policy(const coep_policy_type& policy)
     return {"Cross-Origin-Embedder-Policy", {value}};
 }
 
+option_pair strict_transport_security(const std::size_t age, const bool include_domains, const bool preload)
+{
+    std::string value = "max-age=" + std::to_string(age);
+
+    if (include_domains)
+    {
+        value += "; includeSubDomains";
+    }
+
+    if (preload)
+    {
+        value += "; preload";
+    }
+
+    return {"Strict-Transport-Security", {value}};
+}
+
 option_pair referrer_policy(const referrer_policy_type& policy)
 {
     std::string value;

test/unit/server/helmet.cpp

@@ -97,7 +97,7 @@ struct helmet_test
         {
             helmet_options opt;
 
-            opt.set(strict_transport_security<hsts::default_age>());
+            opt.set(strict_transport_security(hsts::default_age));
 
             helmet helmet{opt};
             route_params p;
@@ -112,7 +112,7 @@ struct helmet_test
         {
             helmet_options opt;
 
-            opt.set(strict_transport_security<86400, hsts::include_subdomains, hsts::preload>());
+            opt.set(strict_transport_security(86400, false, false));
 
             helmet helmet{opt};
             route_params p;