git.squeep.com Git - akkoma/blob - test/plugs/http_security_plug_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
   6   use Pleroma.Web.ConnCase
   7   alias Pleroma.Config
   8   alias Plug.Conn
   9
  10   test "it sends CSP headers when enabled", %{conn: conn} do
  11     Config.put([:http_security, :enabled], true)
  12
  13     conn =
  14       conn
  15       |> get("/api/v1/instance")
  16
  17     refute Conn.get_resp_header(conn, "x-xss-protection") == []
  18     refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  19     refute Conn.get_resp_header(conn, "x-frame-options") == []
  20     refute Conn.get_resp_header(conn, "x-content-type-options") == []
  21     refute Conn.get_resp_header(conn, "x-download-options") == []
  22     refute Conn.get_resp_header(conn, "referrer-policy") == []
  23     refute Conn.get_resp_header(conn, "content-security-policy") == []
  24   end
  25
  26   test "it does not send CSP headers when disabled", %{conn: conn} do
  27     Config.put([:http_security, :enabled], false)
  28
  29     conn =
  30       conn
  31       |> get("/api/v1/instance")
  32
  33     assert Conn.get_resp_header(conn, "x-xss-protection") == []
  34     assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  35     assert Conn.get_resp_header(conn, "x-frame-options") == []
  36     assert Conn.get_resp_header(conn, "x-content-type-options") == []
  37     assert Conn.get_resp_header(conn, "x-download-options") == []
  38     assert Conn.get_resp_header(conn, "referrer-policy") == []
  39     assert Conn.get_resp_header(conn, "content-security-policy") == []
  40   end
  41
  42   test "it sends STS headers when enabled", %{conn: conn} do
  43     Config.put([:http_security, :enabled], true)
  44     Config.put([:http_security, :sts], true)
  45
  46     conn =
  47       conn
  48       |> get("/api/v1/instance")
  49
  50     refute Conn.get_resp_header(conn, "strict-transport-security") == []
  51     refute Conn.get_resp_header(conn, "expect-ct") == []
  52   end
  53
  54   test "it does not send STS headers when disabled", %{conn: conn} do
  55     Config.put([:http_security, :enabled], true)
  56     Config.put([:http_security, :sts], false)
  57
  58     conn =
  59       conn
  60       |> get("/api/v1/instance")
  61
  62     assert Conn.get_resp_header(conn, "strict-transport-security") == []
  63     assert Conn.get_resp_header(conn, "expect-ct") == []
  64   end
  65
  66   test "referrer-policy header reflects configured value", %{conn: conn} do
  67     Config.put([:http_security, :enabled], true)
  68
  69     conn =
  70       conn
  71       |> get("/api/v1/instance")
  72
  73     assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
  74
  75     Config.put([:http_security, :referrer_policy], "no-referrer")
  76
  77     conn =
  78       build_conn()
  79       |> get("/api/v1/instance")
  80
  81     assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
  82   end
  83 end