feat: helmet middleware and tests.

amlel-el-mahrouss · amlel-el-mahrouss · commit 6f95bfe61ff5 · 2025-12-22T22:11:23.000+01:00
Signed-off-by: Amlal El Mahrouss &lt;amlal@nekernel.org&gt;
diff --git a/include/boost/http_proto/server/helmet.hpp b/include/boost/http_proto/server/helmet.hpp
@@ -0,0 +1,72 @@
+//
+// Copyright (c) 2025 Amlal El Mahrouss (amlal at nekernel dot org)
+//
+// Distributed under the Boost Software License, Version 1.0. (See accompanying
+// file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+//
+// Official repository: https://github.com/cppalliance/http_proto
+//
+
+#ifndef BOOST_HTTP_PROTO_SERVER_HELMET_HPP
+#define BOOST_HTTP_PROTO_SERVER_HELMET_HPP
+
+#include <boost/http_proto/detail/config.hpp>
+#include <boost/http_proto/server/route_handler.hpp>
+
+namespace boost {
+namespace http_proto {
+
+/// \brief Helmet middleware options.
+struct helmet_options
+{
+    using helmet_pair = std::pair<std::string, std::vector<std::string>>;
+    using helmet_map     = std::vector<helmet_pair>;
+    
+    /// \brief {key, enabled}
+    /// \note i.e {bad-header, ""} <-- disabled
+    helmet_map requestHeaders = {
+        {"Content-Security-Policy", {"default-src 'self'", "base-uri 'self'", "font-src 'self' https: data:", "form-action 'self'", "frame-ancestors 'self'", 
+            "img-src 'self' data:", "object-src 'none'", "script-src 'self'", "script-src-attr 'none'", "style-src 'self' https: 'unsafe-inline'", "upgrade-insecure-requests"}},
+        {"Cross-Origin-Embedder-Policy", {"require-corp"}},
+        {"Cross-Origin-Opener-Policy", {"same-origin"}},
+        {"Cross-Origin-Resource-Policy", {"same-origin"}},
+        {"X-DNS-Prefetch-Control", {"off"}},
+        {"Expect-CT", {"max-age=86400, enforce"}},
+        {"X-Frame-Options", {"SAMEORIGIN"}},
+        {"X-Powered-By", {""}},  // Remove this header
+        {"Strict-Transport-Security", {"max-age=15552000", "includeSubDomains"}},
+        {"X-Download-Options", {"noopen"}},
+        {"X-Content-Type-Options", {"nosniff"}},
+        {"Origin-Agent-Cluster", {"?1"}},
+        {"X-Permitted-Cross-Domain-Policies", {"none"}},
+        {"Referrer-Policy", {"no-referrer"}},
+        {"X-XSS-Protection", {"0"}}  // Disabled as modern browsers have better protections
+    };
+};
+
+/// \brief Middleware inspired by express.js concept of helmets.
+class helmet
+{
+    struct impl;
+    std::unique_ptr<impl> impl_;
+    
+public:
+    /// \brief Builds an helmet and compute its options for caching purposes.
+    BOOST_HTTP_PROTO_DECL
+    explicit helmet(
+        helmet_options options = {}) noexcept;
+
+    /// \brief Iterates over cachedHeaders and apply its rules to the response params.
+    /// \param p route parameter argument
+    /// \return route_result an error_code signaling the route's status.
+    BOOST_HTTP_PROTO_DECL
+    route_result
+    operator()(route_params& p) const;
+
+private:
+    helmet_options options_;
+};
+}
+
+}
+#endif
diff --git a/src/server/helmet.cpp b/src/server/helmet.cpp
@@ -0,0 +1,77 @@
+//
+// Copyright (c) 2025 Amlal El Mahrouss (amlal at nekernel dot org)
+//
+// Distributed under the Boost Software License, Version 1.0. (See accompanying
+// file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+//
+// Official repository: https://github.com/cppalliance/http_proto
+//
+
+#include <boost/http_proto/server/helmet.hpp>
+#include <algorithm>
+
+namespace boost {
+namespace http_proto {
+
+namespace detail {
+    /// \internal
+    auto setHeaderValues(const std::vector<std::string>& fields_value) -> std::string {
+        if (fields_value.empty())
+            detail::throw_invalid_argument();
+
+        std::string res_value;
+        bool first = false;
+
+        for (const auto& value: fields_value)
+        {
+            if (first) res_value += "; ";
+            res_value += value;
+            first = true;
+        }
+
+        return res_value;
+    }
+}
+
+struct helmet::impl
+{
+    using cached_pair = std::pair<std::string, std::string>;
+    using cached_vector = std::vector<cached_pair>;
+
+    impl() = default;
+    ~impl() = default;
+
+    cached_vector cachedHeaders;
+};
+
+helmet::
+helmet(
+    helmet_options options) noexcept
+    : options_(std::move(options))
+{
+    std::for_each(options_.requestHeaders.begin(), options_.requestHeaders.end(), 
+        [this] (const auto& hdr)
+        {
+            if (hdr.second.empty())
+                detail::throw_invalid_argument();
+
+            this->impl_->cachedHeaders.push_back(std::make_pair(hdr.first, detail::setHeaderValues(hdr.second)));
+        });
+}
+
+route_result
+helmet::
+operator()(
+    route_params& p) const
+{
+    std::for_each(impl_->cachedHeaders.begin(), impl_->cachedHeaders.end(), 
+        [&p] (const auto& hdr)
+        {
+            p.res.set(hdr.first, hdr.second);
+        });
+
+    return route::next;
+}
+
+}
+}
diff --git a/test/unit/server/helmet.cpp b/test/unit/server/helmet.cpp
@@ -0,0 +1,26 @@
+//
+// Copyright (c) 2025 Amlal El Mahrouss (amlal at nekernel dot org)
+//
+// Distributed under the Boost Software License, Version 1.0. (See accompanying
+// file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+//
+// Official repository: https://github.com/cppalliance/http_proto
+//
+
+#include <boost/http_proto/server/helmet.hpp>
+#include "test_suite.hpp"
+
+namespace boost {
+namespace http_proto {
+
+struct helmet_test
+{
+    void run() {}
+};
+
+TEST_SUITE(
+    helmet_test,
+    "boost.http_proto.server.helmet");
+}
+
+}
