git.squeep.com Git - akkoma/blob - test/plugs/http_security_plug_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
   6   use Pleroma.Web.ConnCase
   7   alias Pleroma.Config
   8   alias Plug.Conn
   9
  10   setup do: clear_config([:http_securiy, :enabled])
  11   setup do: clear_config([:http_security, :sts])
  12   setup do: clear_config([:http_security, :referrer_policy])
  13
  14   describe "http security enabled" do
  15     setup do
  16       Config.put([:http_security, :enabled], true)
  17     end
  18
  19     test "it sends CSP headers when enabled", %{conn: conn} do
  20       conn = get(conn, "/api/v1/instance")
  21
  22       refute Conn.get_resp_header(conn, "x-xss-protection") == []
  23       refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  24       refute Conn.get_resp_header(conn, "x-frame-options") == []
  25       refute Conn.get_resp_header(conn, "x-content-type-options") == []
  26       refute Conn.get_resp_header(conn, "x-download-options") == []
  27       refute Conn.get_resp_header(conn, "referrer-policy") == []
  28       refute Conn.get_resp_header(conn, "content-security-policy") == []
  29     end
  30
  31     test "it sends STS headers when enabled", %{conn: conn} do
  32       Config.put([:http_security, :sts], true)
  33
  34       conn = get(conn, "/api/v1/instance")
  35
  36       refute Conn.get_resp_header(conn, "strict-transport-security") == []
  37       refute Conn.get_resp_header(conn, "expect-ct") == []
  38     end
  39
  40     test "it does not send STS headers when disabled", %{conn: conn} do
  41       Config.put([:http_security, :sts], false)
  42
  43       conn = get(conn, "/api/v1/instance")
  44
  45       assert Conn.get_resp_header(conn, "strict-transport-security") == []
  46       assert Conn.get_resp_header(conn, "expect-ct") == []
  47     end
  48
  49     test "referrer-policy header reflects configured value", %{conn: conn} do
  50       conn = get(conn, "/api/v1/instance")
  51
  52       assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
  53
  54       Config.put([:http_security, :referrer_policy], "no-referrer")
  55
  56       conn =
  57         build_conn()
  58         |> get("/api/v1/instance")
  59
  60       assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
  61     end
  62
  63     test "it sends `report-to` & `report-uri` CSP response headers" do
  64       conn =
  65         build_conn()
  66         |> get("/api/v1/instance")
  67
  68       [csp] = Conn.get_resp_header(conn, "content-security-policy")
  69
  70       assert csp =~ ~r|report-uri https://endpoint.com;report-to csp-endpoint;|
  71
  72       [reply_to] = Conn.get_resp_header(conn, "reply-to")
  73
  74       assert reply_to ==
  75                "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
  76     end
  77   end
  78
  79   test "it does not send CSP headers when disabled", %{conn: conn} do
  80     Config.put([:http_security, :enabled], false)
  81
  82     conn = get(conn, "/api/v1/instance")
  83
  84     assert Conn.get_resp_header(conn, "x-xss-protection") == []
  85     assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
  86     assert Conn.get_resp_header(conn, "x-frame-options") == []
  87     assert Conn.get_resp_header(conn, "x-content-type-options") == []
  88     assert Conn.get_resp_header(conn, "x-download-options") == []
  89     assert Conn.get_resp_header(conn, "referrer-policy") == []
  90     assert Conn.get_resp_header(conn, "content-security-policy") == []
  91   end
  92 end