This repository was archived by the owner on Oct 12, 2022. It is now read-only.
JSON response headers need XSS protection #29
Description
The REST API HTTP responses are missing some security headers. This should be done even for JSON data per https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
For example, https GET /${bmc}/xyz/openbmc_project/network/enumerate returns JSON data with HTTP response headers that do not include:
- Content-Security-Policy
- X-Content-Type-Options
- X-XSS-Protection
- Strict-Transport-Security
- and other similar headers
The fix is to add these headers to the HTTP response.