Added the default OWASP http headers to http responses.

configure.ac

@@ -669,6 +669,8 @@ fi
 AM_CONDITIONAL(ENABLE_OIDC_AUTH,  test "x$enable_oidc_auth" = xyes)
 AM_CONDITIONAL(ENABLE_OIDC_AUTH_TESTS, test "x$enable_oidc_auth" = xyes)
 
+AC_DEFINE([ADD_OWASP_HEADERS], 1, [Add OWASP default http headers to responses])
+
 AC_CHECK_FILE(/proc/self/exe, AC_DEFINE([PROC_FS_SUPPORTED],[1], [procfs supported]), [])
 
 uid=$(id -u)

src/worker-auth.c

@@ -438,6 +438,14 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg, unsig
 		goto cleanup;
 	}
 
+#ifdef ADD_OWASP_HEADERS
+	ret = add_owasp_headers(ws);
+	if (ret < 0) {
+		ret = -1;
+		goto cleanup;
+	}
+#endif
+
 	ret = cstp_puts(ws, "\r\n");
 	if (ret < 0) {
 		ret = -1;
@@ -1089,6 +1097,14 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 	if (ret < 0)
 		goto fail;
 
+#ifdef ADD_OWASP_HEADERS
+	ret = 
+		add_owasp_headers(ws);
+	if (ret < 0)
+		goto fail;
+#endif
+
+
 #ifdef ANYCONNECT_CLIENT_COMPAT	
 	if (WSCONFIG(ws)->xml_config_file) {
 		ret =

src/worker-http-handlers.c

@@ -58,6 +58,9 @@ static int send_headers(worker_st *ws, unsigned http_ver, const char *content_ty
 	    cstp_printf(ws, "Content-Type: %s\r\n", content_type) < 0 ||
 	    cstp_puts  (ws, "X-Transcend-Version: 1\r\n") < 0 ||
 	    cstp_printf(ws, "Content-Length: %u\r\n", content_length) < 0 ||
+#ifdef ADD_OWASP_HEADERS
+		add_owasp_headers(ws) < 0 ||
+#endif				
 	    cstp_puts  (ws, "\r\n") < 0)
 		return -1;
 	return 0;

src/worker-http.c

@@ -863,3 +863,30 @@ void http_req_deinit(worker_st * ws)
 	ws->req.body = NULL;
 }
 
+#if defined(ADD_OWASP_HEADERS)
+/* add_owasp_headers:
+ * @ws: an initialized worker structure
+ *
+ * This function adds the OWASP default headers
+ * There are security tools that flag the server as a security risk.
+ * These are added to help users comply with security best practices.
+ */
+int add_owasp_headers(worker_st * ws)
+{
+	if (cstp_puts(ws, "Strict-Transport-Security: max-age=31536000 ; includeSubDomains\r\n") < 0 ||
+		cstp_puts(ws, "X-Frame-Options: deny\r\n") < 0 ||
+		cstp_puts(ws, "X-Content-Type-Options: nosniff\r\n") < 0 ||
+		cstp_puts(ws, "Content-Security-Policy: default-src \'none\'\r\n") < 0 ||
+		cstp_puts(ws, "X-Permitted-Cross-Domain-Policies: none\r\n") < 0 ||
+		cstp_puts(ws, "Referrer-Policy: no-referrer\r\n") < 0 ||
+		cstp_puts(ws, "Clear-Site-Data: \"cache\",\"cookies\",\"storage\"\r\n") < 0 ||
+		cstp_puts(ws, "Cross-Origin-Embedder-Policy: require-corp\r\n") < 0 ||
+		cstp_puts(ws, "Cross-Origin-Opener-Policy: same-origin\r\n") < 0 ||
+		cstp_puts(ws, "Cross-Origin-Resource-Policy: same-origin\r\n") < 0 ||
+		cstp_puts(ws, "X-XSS-Protection: 0\r\n") < 0)
+	{
+		return -1;
+	}
+	return 0;
+}
+#endif

src/worker-kkdcp.c

@@ -273,6 +273,14 @@ int post_kkdcp_handler(worker_st *ws, unsigned http_ver)
 		goto fail;
 	}
 
+#ifdef ADD_OWASP_HEADERS
+	ret = add_owasp_headers(ws);
+	if (ret < 0) {
+		goto fail;
+	}
+#endif
+	
+
 	ret = cstp_puts(ws, "\r\n");
 	if (ret < 0) {
 		goto fail;

src/worker-vpn.c

@@ -1931,6 +1931,11 @@ static int connect_handler(worker_st * ws)
 	ret = cstp_puts(ws, "HTTP/1.1 200 CONNECTED\r\n");
 	SEND_ERR(ret);
 
+#ifdef ADD_OWASP_HEADERS
+	ret = add_owasp_headers(ws);
+	SEND_ERR(ret);
+#endif
+
 	ret = cstp_puts(ws, "X-CSTP-Version: 1\r\n");
 	SEND_ERR(ret);
 

src/worker.h

@@ -422,6 +422,10 @@ int parse_proxy_proto_header(struct worker_st *ws, int fd);
 
 void cookie_authenticate_or_exit(worker_st *ws);
 
+#ifdef ADD_OWASP_HEADERS
+int add_owasp_headers(worker_st * ws);
+#endif
+
 /* after that time (secs) of inactivity in the UDP part, connection switches to 
  * TCP (if activity occurs there).
  */