git.squeep.com Git - akkoma/blob - test/plugs/http_security_plug_test.exs

   1 defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
   2   use Pleroma.Web.ConnCase
   3   alias Pleroma.Config
   4   alias Plug.Conn
   5
   6   test "it sends CSP headers when enabled", %{conn: conn} do
   7     Config.put([:http_security, :enabled], true)
   8
   9     conn =
  10       conn
  11       |> get("/api/v1/instance")
  12
  13     refute Conn.get_resp_header(conn, "x-xss-protection") == []
  14     refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  15     refute Conn.get_resp_header(conn, "x-frame-options") == []
  16     refute Conn.get_resp_header(conn, "x-content-type-options") == []
  17     refute Conn.get_resp_header(conn, "x-download-options") == []
  18     refute Conn.get_resp_header(conn, "referrer-policy") == []
  19     refute Conn.get_resp_header(conn, "content-security-policy") == []
  20   end
  21
  22   test "it does not send CSP headers when disabled", %{conn: conn} do
  23     Config.put([:http_security, :enabled], false)
  24
  25     conn =
  26       conn
  27       |> get("/api/v1/instance")
  28
  29     assert Conn.get_resp_header(conn, "x-xss-protection") == []
  30     assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  31     assert Conn.get_resp_header(conn, "x-frame-options") == []
  32     assert Conn.get_resp_header(conn, "x-content-type-options") == []
  33     assert Conn.get_resp_header(conn, "x-download-options") == []
  34     assert Conn.get_resp_header(conn, "referrer-policy") == []
  35     assert Conn.get_resp_header(conn, "content-security-policy") == []
  36   end
  37
  38   test "it sends STS headers when enabled", %{conn: conn} do
  39     Config.put([:http_security, :enabled], true)
  40     Config.put([:http_security, :sts], true)
  41
  42     conn =
  43       conn
  44       |> get("/api/v1/instance")
  45
  46     refute Conn.get_resp_header(conn, "strict-transport-security") == []
  47     refute Conn.get_resp_header(conn, "expect-ct") == []
  48   end
  49
  50   test "it does not send STS headers when disabled", %{conn: conn} do
  51     Config.put([:http_security, :enabled], true)
  52     Config.put([:http_security, :sts], false)
  53
  54     conn =
  55       conn
  56       |> get("/api/v1/instance")
  57
  58     assert Conn.get_resp_header(conn, "strict-transport-security") == []
  59     assert Conn.get_resp_header(conn, "expect-ct") == []
  60   end
  61
  62   test "referrer-policy header reflects configured value", %{conn: conn} do
  63     conn =
  64       conn
  65       |> get("/api/v1/instance")
  66
  67     assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
  68
  69     Config.put([:http_security, :referrer_policy], "no-referrer")
  70
  71     conn =
  72       build_conn()
  73       |> get("/api/v1/instance")
  74
  75     assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
  76   end
  77 end