fix formatting
[akkoma] / test / plugs / http_security_plug_test.exs
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
6 use Pleroma.Web.ConnCase
7 alias Pleroma.Config
8 alias Plug.Conn
9
10 clear_config([:http_securiy, :enabled])
11 clear_config([:http_security, :sts])
12
13 describe "http security enabled" do
14 setup do
15 Config.put([:http_security, :enabled], true)
16 end
17
18 test "it sends CSP headers when enabled", %{conn: conn} do
19 conn = get(conn, "/api/v1/instance")
20
21 refute Conn.get_resp_header(conn, "x-xss-protection") == []
22 refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
23 refute Conn.get_resp_header(conn, "x-frame-options") == []
24 refute Conn.get_resp_header(conn, "x-content-type-options") == []
25 refute Conn.get_resp_header(conn, "x-download-options") == []
26 refute Conn.get_resp_header(conn, "referrer-policy") == []
27 refute Conn.get_resp_header(conn, "content-security-policy") == []
28 end
29
30 test "it sends STS headers when enabled", %{conn: conn} do
31 Config.put([:http_security, :sts], true)
32
33 conn = get(conn, "/api/v1/instance")
34
35 refute Conn.get_resp_header(conn, "strict-transport-security") == []
36 refute Conn.get_resp_header(conn, "expect-ct") == []
37 end
38
39 test "it does not send STS headers when disabled", %{conn: conn} do
40 Config.put([:http_security, :sts], false)
41
42 conn = get(conn, "/api/v1/instance")
43
44 assert Conn.get_resp_header(conn, "strict-transport-security") == []
45 assert Conn.get_resp_header(conn, "expect-ct") == []
46 end
47
48 test "referrer-policy header reflects configured value", %{conn: conn} do
49 conn = get(conn, "/api/v1/instance")
50
51 assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
52
53 Config.put([:http_security, :referrer_policy], "no-referrer")
54
55 conn =
56 build_conn()
57 |> get("/api/v1/instance")
58
59 assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
60 end
61
62 test "it sends `report-to` & `report-uri` CSP response headers" do
63 conn =
64 build_conn()
65 |> get("/api/v1/instance")
66
67 [csp] = Conn.get_resp_header(conn, "content-security-policy")
68
69 assert csp =~ ~r|report-uri https://endpoint.com; report-to csp-endpoint;|
70
71 [reply_to] = Conn.get_resp_header(conn, "reply-to")
72
73 assert reply_to ==
74 "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
75 end
76 end
77
78 test "it does not send CSP headers when disabled", %{conn: conn} do
79 Config.put([:http_security, :enabled], false)
80
81 conn = get(conn, "/api/v1/instance")
82
83 assert Conn.get_resp_header(conn, "x-xss-protection") == []
84 assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
85 assert Conn.get_resp_header(conn, "x-frame-options") == []
86 assert Conn.get_resp_header(conn, "x-content-type-options") == []
87 assert Conn.get_resp_header(conn, "x-download-options") == []
88 assert Conn.get_resp_header(conn, "referrer-policy") == []
89 assert Conn.get_resp_header(conn, "content-security-policy") == []
90 end
91 end