uwe.admin/oatpp-authkit
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
oatpp-authkit/include/oatpp-authkit/interceptor/SecurityHeadersInterceptor.hpp
Uwe Schuster 32356ad226 v0.1.0: initial clean-lift from fewo-webapp 
Header-only C++ library; CMake config package; zero-coupling files lifted
from fewo-webapp:

  interceptor/SecurityHeadersInterceptor.hpp
  interceptor/BodySizeLimitInterceptor.hpp
  handler/JsonErrorHandler.hpp
  util/RateLimiter.hpp
  util/TokenExtract.hpp    (extractToken, isValidIp, clientIpTrusted)
  startup/RequireEncryptionKey.hpp

fewo-specific couplings (bindAddress global, fewo::config) replaced with
explicit function arguments so the library stands alone.

AuthInterceptor + requireAdmin deferred to v0.2 — they need IAuthBackend /
IAuthPolicy / IRuntimeConfig seams designed first.

docs/security-baseline.md ships CSP / rate-limit / body-size / encryption
key constants as language-neutral baselines for non-C++ consumers.

Closes fewo-webapp#412

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 21:42:53 +02:00

39 lines
1.6 KiB
C++
Raw Blame History

#ifndef SecurityHeadersInterceptor_hpp
#define SecurityHeadersInterceptor_hpp
#include "oatpp/web/server/interceptor/ResponseInterceptor.hpp"
/**
* @brief Response interceptor that adds standard security headers to all responses.
*
* Headers added:
* - X-Content-Type-Options: nosniff — prevents MIME type sniffing
* - X-Frame-Options: SAMEORIGIN — prevents clickjacking
* - Referrer-Policy: strict-origin-when-cross-origin — limits referrer leakage
* - Content-Security-Policy — restricts resource loading sources
*/
class SecurityHeadersInterceptor : public oatpp::web::server::interceptor::ResponseInterceptor {
public:
std::shared_ptr<OutgoingResponse> intercept(
const std::shared_ptr<IncomingRequest>& request,
const std::shared_ptr<OutgoingResponse>& response) override {
response->putHeader("X-Content-Type-Options", "nosniff");
response->putHeader("X-Frame-Options", "SAMEORIGIN");
response->putHeader("Referrer-Policy", "strict-origin-when-cross-origin");
response->putHeader("Content-Security-Policy",
"default-src 'self'; "
"script-src 'self' 'unsafe-inline' https://unpkg.com; "
"style-src 'self' 'unsafe-inline' https://unpkg.com; "
"img-src 'self' data: https:; "
"connect-src 'self' wss: ws:; "
"font-src 'self'; "
"frame-ancestors 'self'; "
"base-uri 'self'; "
"form-action 'self'");
response->putHeader("Strict-Transport-Security",
"max-age=63072000; includeSubDomains");
return response;
}
};
#endif
Reference in a new issue View git blame Copy permalink