squeegily
/
pleroma
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 42 Wiki Activity
Fork of Pleroma with site-specific changes and feature branches https://git.pleroma.social/pleroma/pleroma
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7259 Commits
154 Branches
503MB
Tree: 13cc52dc60
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '13cc52dc60'
${ noResults }
pleroma/test/plugs/http_security_plug_test.exs

92 lines
3.2KB
Raw Blame History 

  1. # Pleroma: A lightweight social networking server

  2. # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>

  3. # SPDX-License-Identifier: AGPL-3.0-only

  4. 

  5. defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do

  6.   use Pleroma.Web.ConnCase

  7.   alias Pleroma.Config

  8.   alias Plug.Conn

  9. 

  10.   clear_config([:http_securiy, :enabled])

  11.   clear_config([:http_security, :sts])

  12. 

  13.   describe "http security enabled" do

  14.     setup do

  15.       Config.put([:http_security, :enabled], true)

  16.     end

  17. 

  18.     test "it sends CSP headers when enabled", %{conn: conn} do

  19.       conn = get(conn, "/api/v1/instance")

  20. 

  21.       refute Conn.get_resp_header(conn, "x-xss-protection") == []

  22.       refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []

  23.       refute Conn.get_resp_header(conn, "x-frame-options") == []

  24.       refute Conn.get_resp_header(conn, "x-content-type-options") == []

  25.       refute Conn.get_resp_header(conn, "x-download-options") == []

  26.       refute Conn.get_resp_header(conn, "referrer-policy") == []

  27.       refute Conn.get_resp_header(conn, "content-security-policy") == []

  28.     end

  29. 

  30.     test "it sends STS headers when enabled", %{conn: conn} do

  31.       Config.put([:http_security, :sts], true)

  32. 

  33.       conn = get(conn, "/api/v1/instance")

  34. 

  35.       refute Conn.get_resp_header(conn, "strict-transport-security") == []

  36.       refute Conn.get_resp_header(conn, "expect-ct") == []

  37.     end

  38. 

  39.     test "it does not send STS headers when disabled", %{conn: conn} do

  40.       Config.put([:http_security, :sts], false)

  41. 

  42.       conn = get(conn, "/api/v1/instance")

  43. 

  44.       assert Conn.get_resp_header(conn, "strict-transport-security") == []

  45.       assert Conn.get_resp_header(conn, "expect-ct") == []

  46.     end

  47. 

  48.     test "referrer-policy header reflects configured value", %{conn: conn} do

  49.       conn = get(conn, "/api/v1/instance")

  50. 

  51.       assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]

  52. 

  53.       Config.put([:http_security, :referrer_policy], "no-referrer")

  54. 

  55.       conn =

  56.         build_conn()

  57.         |> get("/api/v1/instance")

  58. 

  59.       assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]

  60.     end

  61. 

  62.     test "it sends `report-to` & `report-uri` CSP response headers" do

  63.       conn =

  64.         build_conn()

  65.         |> get("/api/v1/instance")

  66. 

  67.       [csp] = Conn.get_resp_header(conn, "content-security-policy")

  68. 

  69.       assert csp =~ ~r|report-uri https://endpoint.com; report-to csp-endpoint;|

  70. 

  71.       [reply_to] = Conn.get_resp_header(conn, "reply-to")

  72. 

  73.       assert reply_to ==

  74.                "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"

  75.     end

  76.   end

  77. 

  78.   test "it does not send CSP headers when disabled", %{conn: conn} do

  79.     Config.put([:http_security, :enabled], false)

  80. 

  81.     conn = get(conn, "/api/v1/instance")

  82. 

  83.     assert Conn.get_resp_header(conn, "x-xss-protection") == []

  84.     assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []

  85.     assert Conn.get_resp_header(conn, "x-frame-options") == []

  86.     assert Conn.get_resp_header(conn, "x-content-type-options") == []

  87.     assert Conn.get_resp_header(conn, "x-download-options") == []

  88.     assert Conn.get_resp_header(conn, "referrer-policy") == []

  89.     assert Conn.get_resp_header(conn, "content-security-policy") == []

  90.   end

  91. end