git.squeep.com Git - akkoma/blob - test/plugs/http_security_plug_test.exs

   1 defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
   2   use Pleroma.Web.ConnCase
   3   alias Pleroma.Config
   4   alias Plug.Conn
   5
   6   test "it sends CSP headers when enabled", %{conn: conn} do
   7     Config.put([:http_security, :enabled], true)
   8
   9     conn =
  10       conn
  11       |> get("/api/v1/instance")
  12
  13     refute Conn.get_resp_header(conn, "x-xss-protection") == []
  14     refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  15     refute Conn.get_resp_header(conn, "x-frame-options") == []
  16     refute Conn.get_resp_header(conn, "x-content-type-options") == []
  17     refute Conn.get_resp_header(conn, "x-download-options") == []
  18     refute Conn.get_resp_header(conn, "referrer-policy") == []
  19     refute Conn.get_resp_header(conn, "content-security-policy") == []
  20   end
  21
  22   test "it does not send CSP headers when disabled", %{conn: conn} do
  23     Config.put([:http_security, :enabled], false)
  24
  25     conn =
  26       conn
  27       |> get("/api/v1/instance")
  28
  29     assert Conn.get_resp_header(conn, "x-xss-protection") == []
  30     assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  31     assert Conn.get_resp_header(conn, "x-frame-options") == []
  32     assert Conn.get_resp_header(conn, "x-content-type-options") == []
  33     assert Conn.get_resp_header(conn, "x-download-options") == []
  34     assert Conn.get_resp_header(conn, "referrer-policy") == []
  35     assert Conn.get_resp_header(conn, "content-security-policy") == []
  36   end
  37
  38   test "it sends STS headers when enabled", %{conn: conn} do
  39     Config.put([:http_security, :enabled], true)
  40     Config.put([:http_security, :sts], true)
  41
  42     conn =
  43       conn
  44       |> get("/api/v1/instance")
  45
  46     refute Conn.get_resp_header(conn, "strict-transport-security") == []
  47     refute Conn.get_resp_header(conn, "expect-ct") == []
  48   end
  49
  50   test "it does not send STS headers when disabled", %{conn: conn} do
  51     Config.put([:http_security, :enabled], true)
  52     Config.put([:http_security, :sts], false)
  53
  54     conn =
  55       conn
  56       |> get("/api/v1/instance")
  57
  58     assert Conn.get_resp_header(conn, "strict-transport-security") == []
  59     assert Conn.get_resp_header(conn, "expect-ct") == []
  60   end
  61
  62   test "referrer-policy header reflects configured value", %{conn: conn} do
  63     Config.put([:http_security, :enabled], true)
  64
  65     conn =
  66       conn
  67       |> get("/api/v1/instance")
  68
  69     assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
  70
  71     Config.put([:http_security, :referrer_policy], "no-referrer")
  72
  73     conn =
  74       build_conn()
  75       |> get("/api/v1/instance")
  76
  77     assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
  78   end
  79 end