diff options
| author | Egor Kislitsyn <egor@kislitsyn.com> | 2018-12-06 19:55:58 +0700 |
|---|---|---|
| committer | Egor Kislitsyn <egor@kislitsyn.com> | 2018-12-06 19:55:58 +0700 |
| commit | 8b4397c704147bcc5ca12ab60dde32f2b6e11a41 (patch) | |
| tree | f1d26585be6673b495d3f4b8bea4deb5f0283d42 /test/plugs/http_security_plug_test.exs | |
| parent | 04a48286e69704bf83429b85dbcdb70863bdcff1 (diff) | |
| parent | 52ce368562de919f1806dfd5235642caf0666e16 (diff) | |
| download | pleroma-8b4397c704147bcc5ca12ab60dde32f2b6e11a41.tar.gz pleroma-8b4397c704147bcc5ca12ab60dde32f2b6e11a41.zip | |
Merge branch 'develop' into feature/compat/push-subscriptions
# Conflicts:
# lib/mix/tasks/sample_config.eex
# lib/pleroma/web/twitter_api/controllers/util_controller.ex
# mix.exs
# mix.lock
Diffstat (limited to 'test/plugs/http_security_plug_test.exs')
| -rw-r--r-- | test/plugs/http_security_plug_test.exs | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs new file mode 100644 index 000000000..169c3b3a8 --- /dev/null +++ b/test/plugs/http_security_plug_test.exs @@ -0,0 +1,79 @@ +defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do + use Pleroma.Web.ConnCase + alias Pleroma.Config + alias Plug.Conn + + test "it sends CSP headers when enabled", %{conn: conn} do + Config.put([:http_security, :enabled], true) + + conn = + conn + |> get("/api/v1/instance") + + refute Conn.get_resp_header(conn, "x-xss-protection") == [] + refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] + refute Conn.get_resp_header(conn, "x-frame-options") == [] + refute Conn.get_resp_header(conn, "x-content-type-options") == [] + refute Conn.get_resp_header(conn, "x-download-options") == [] + refute Conn.get_resp_header(conn, "referrer-policy") == [] + refute Conn.get_resp_header(conn, "content-security-policy") == [] + end + + test "it does not send CSP headers when disabled", %{conn: conn} do + Config.put([:http_security, :enabled], false) + + conn = + conn + |> get("/api/v1/instance") + + assert Conn.get_resp_header(conn, "x-xss-protection") == [] + assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] + assert Conn.get_resp_header(conn, "x-frame-options") == [] + assert Conn.get_resp_header(conn, "x-content-type-options") == [] + assert Conn.get_resp_header(conn, "x-download-options") == [] + assert Conn.get_resp_header(conn, "referrer-policy") == [] + assert Conn.get_resp_header(conn, "content-security-policy") == [] + end + + test "it sends STS headers when enabled", %{conn: conn} do + Config.put([:http_security, :enabled], true) + Config.put([:http_security, :sts], true) + + conn = + conn + |> get("/api/v1/instance") + + refute Conn.get_resp_header(conn, "strict-transport-security") == [] + refute Conn.get_resp_header(conn, "expect-ct") == [] + end + + test "it does not send STS headers when disabled", %{conn: conn} do + Config.put([:http_security, :enabled], true) + Config.put([:http_security, :sts], false) + + conn = + conn + |> get("/api/v1/instance") + + assert Conn.get_resp_header(conn, "strict-transport-security") == [] + assert Conn.get_resp_header(conn, "expect-ct") == [] + end + + test "referrer-policy header reflects configured value", %{conn: conn} do + Config.put([:http_security, :enabled], true) + + conn = + conn + |> get("/api/v1/instance") + + assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"] + + Config.put([:http_security, :referrer_policy], "no-referrer") + + conn = + build_conn() + |> get("/api/v1/instance") + + assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"] + end +end |