git.squeep.com Git - akkoma/blob - test/plugs/http_security_plug_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
   6   use Pleroma.Web.ConnCase
   7   alias Pleroma.Config
   8   alias Plug.Conn
   9
  10   describe "http security enabled" do
  11     setup do
  12       enabled = Config.get([:http_securiy, :enabled])
  13
  14       Config.put([:http_security, :enabled], true)
  15
  16       on_exit(fn ->
  17         Config.put([:http_security, :enabled], enabled)
  18       end)
  19
  20       :ok
  21     end
  22
  23     test "it sends CSP headers when enabled", %{conn: conn} do
  24       conn = get(conn, "/api/v1/instance")
  25
  26       refute Conn.get_resp_header(conn, "x-xss-protection") == []
  27       refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  28       refute Conn.get_resp_header(conn, "x-frame-options") == []
  29       refute Conn.get_resp_header(conn, "x-content-type-options") == []
  30       refute Conn.get_resp_header(conn, "x-download-options") == []
  31       refute Conn.get_resp_header(conn, "referrer-policy") == []
  32       refute Conn.get_resp_header(conn, "content-security-policy") == []
  33     end
  34
  35     test "it sends STS headers when enabled", %{conn: conn} do
  36       Config.put([:http_security, :sts], true)
  37
  38       conn = get(conn, "/api/v1/instance")
  39
  40       refute Conn.get_resp_header(conn, "strict-transport-security") == []
  41       refute Conn.get_resp_header(conn, "expect-ct") == []
  42     end
  43
  44     test "it does not send STS headers when disabled", %{conn: conn} do
  45       Config.put([:http_security, :sts], false)
  46
  47       conn = get(conn, "/api/v1/instance")
  48
  49       assert Conn.get_resp_header(conn, "strict-transport-security") == []
  50       assert Conn.get_resp_header(conn, "expect-ct") == []
  51     end
  52
  53     test "referrer-policy header reflects configured value", %{conn: conn} do
  54       conn = get(conn, "/api/v1/instance")
  55
  56       assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
  57
  58       Config.put([:http_security, :referrer_policy], "no-referrer")
  59
  60       conn =
  61         build_conn()
  62         |> get("/api/v1/instance")
  63
  64       assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
  65     end
  66
  67     test "it sends `report-to` & `report-uri` CSP response headers" do
  68       conn =
  69         build_conn()
  70         |> get("/api/v1/instance")
  71
  72       [csp] = Conn.get_resp_header(conn, "content-security-policy")
  73
  74       assert csp =~ ~r|report-uri https://endpoint.com; report-to csp-endpoint;|
  75
  76       [reply_to] = Conn.get_resp_header(conn, "reply-to")
  77
  78       assert reply_to ==
  79                "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
  80     end
  81   end
  82
  83   test "it does not send CSP headers when disabled", %{conn: conn} do
  84     enabled = Config.get([:http_securiy, :enabled])
  85
  86     Config.put([:http_security, :enabled], false)
  87
  88     on_exit(fn ->
  89       Config.put([:http_security, :enabled], enabled)
  90     end)
  91
  92     conn = get(conn, "/api/v1/instance")
  93
  94     assert Conn.get_resp_header(conn, "x-xss-protection") == []
  95     assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  96     assert Conn.get_resp_header(conn, "x-frame-options") == []
  97     assert Conn.get_resp_header(conn, "x-content-type-options") == []
  98     assert Conn.get_resp_header(conn, "x-download-options") == []
  99     assert Conn.get_resp_header(conn, "referrer-policy") == []
 100     assert Conn.get_resp_header(conn, "content-security-policy") == []
 101   end
 102 end