echo/middleware/secure_test.go

package middleware

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/labstack/echo/v4"
	"github.com/stretchr/testify/assert"
)

func TestSecure(t *testing.T) {
	e := echo.New()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)
	h := func(c echo.Context) error {
		return c.String(http.StatusOK, "test")
	}

	// Default
	Secure()(h)(c)
	assert.Equal(t, "1; mode=block", rec.Header().Get(echo.HeaderXXSSProtection))
	assert.Equal(t, "nosniff", rec.Header().Get(echo.HeaderXContentTypeOptions))
	assert.Equal(t, "SAMEORIGIN", rec.Header().Get(echo.HeaderXFrameOptions))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderStrictTransportSecurity))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderReferrerPolicy))

	// Custom
	req.Header.Set(echo.HeaderXForwardedProto, "https")
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	SecureWithConfig(SecureConfig{
		XSSProtection:         "",
		ContentTypeNosniff:    "",
		XFrameOptions:         "",
		HSTSMaxAge:            3600,
		ContentSecurityPolicy: "default-src 'self'",
		ReferrerPolicy:        "origin",
	})(h)(c)
	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
	assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))

	// Custom with CSPReportOnly flag
	req.Header.Set(echo.HeaderXForwardedProto, "https")
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	SecureWithConfig(SecureConfig{
		XSSProtection:         "",
		ContentTypeNosniff:    "",
		XFrameOptions:         "",
		HSTSMaxAge:            3600,
		ContentSecurityPolicy: "default-src 'self'",
		CSPReportOnly:         true,
		ReferrerPolicy:        "origin",
	})(h)(c)
	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
	assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))

	// Custom, with preload option enabled
	req.Header.Set(echo.HeaderXForwardedProto, "https")
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	SecureWithConfig(SecureConfig{
		HSTSMaxAge:         3600,
		HSTSPreloadEnabled: true,
	})(h)(c)
	assert.Equal(t, "max-age=3600; includeSubdomains; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))

	// Custom, with preload option enabled and subdomains excluded
	req.Header.Set(echo.HeaderXForwardedProto, "https")
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	SecureWithConfig(SecureConfig{
		HSTSMaxAge:            3600,
		HSTSPreloadEnabled:    true,
		HSTSExcludeSubdomains: true,
	})(h)(c)
	assert.Equal(t, "max-age=3600; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))
}
middleware: add basic secure headers 2016-04-24 17:10:45 +02:00			`package middleware`

Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`import (`
			`"net/http"`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`"net/http/httptest"`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`"testing"`

Introduced Go module support as v4, removed obsolete CloseNotifier() mechanism This reintroduces support for Go modules, as v4. CloseNotifier() is removed as it has been obsoleted, see https://golang.org/doc/go1.11#net/http It was already NOT working (not sending signals) as of 1.11 the functionality was gone, we merely deleted the functions that exposed it. If anyone still relies on it they should migrate to using `c.Request().Context().Done()` instead. Closes #1268, #1255 2019-01-30 12:56:56 +02:00			`"github.com/labstack/echo/v4"`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestSecure(t *testing.T) {`
			`e := echo.New()`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec := httptest.NewRecorder()`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`c := e.NewContext(req, rec)`
			`h := func(c echo.Context) error {`
			`return c.String(http.StatusOK, "test")`
			`}`

			`// Default`
			`Secure()(h)(c)`
			`assert.Equal(t, "1; mode=block", rec.Header().Get(echo.HeaderXXSSProtection))`
			`assert.Equal(t, "nosniff", rec.Header().Get(echo.HeaderXContentTypeOptions))`
			`assert.Equal(t, "SAMEORIGIN", rec.Header().Get(echo.HeaderXFrameOptions))`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderStrictTransportSecurity))`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))`
Add ReferrerPolicy to Secure middleware (#1363) 2019-08-02 00:27:09 +02:00			`assert.Equal(t, "", rec.Header().Get(echo.HeaderReferrerPolicy))`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00
			`// Custom`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderXForwardedProto, "https")`
			`rec = httptest.NewRecorder()`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`c = e.NewContext(req, rec)`
			`SecureWithConfig(SecureConfig{`
			`XSSProtection: "",`
			`ContentTypeNosniff: "",`
			`XFrameOptions: "",`
			`HSTSMaxAge: 3600,`
			`ContentSecurityPolicy: "default-src 'self'",`
Add ReferrerPolicy to Secure middleware (#1363) 2019-08-02 00:27:09 +02:00			`ReferrerPolicy: "origin",`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`})(h)(c)`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))`
			`assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))`
			`assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))`
feat(secure): support Content-Security-Policy-Report-Only header (#1287) Closes #1283 2019-02-27 08:32:07 +02:00			`assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))`
Add ReferrerPolicy to Secure middleware (#1363) 2019-08-02 00:27:09 +02:00			`assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))`
feat(secure): support Content-Security-Policy-Report-Only header (#1287) Closes #1283 2019-02-27 08:32:07 +02:00
			`// Custom with CSPReportOnly flag`
			`req.Header.Set(echo.HeaderXForwardedProto, "https")`
			`rec = httptest.NewRecorder()`
			`c = e.NewContext(req, rec)`
			`SecureWithConfig(SecureConfig{`
			`XSSProtection: "",`
			`ContentTypeNosniff: "",`
			`XFrameOptions: "",`
			`HSTSMaxAge: 3600,`
			`ContentSecurityPolicy: "default-src 'self'",`
			`CSPReportOnly: true,`
Add ReferrerPolicy to Secure middleware (#1363) 2019-08-02 00:27:09 +02:00			`ReferrerPolicy: "origin",`
feat(secure): support Content-Security-Policy-Report-Only header (#1287) Closes #1283 2019-02-27 08:32:07 +02:00			`})(h)(c)`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))`
			`assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))`
			`assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))`
			`assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))`
Add ReferrerPolicy to Secure middleware (#1363) 2019-08-02 00:27:09 +02:00			`assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))`
Enable adding `preload` tag to HSTS header (#1247) 2019-03-06 20:22:19 +02:00
			`// Custom, with preload option enabled`
			`req.Header.Set(echo.HeaderXForwardedProto, "https")`
			`rec = httptest.NewRecorder()`
			`c = e.NewContext(req, rec)`
			`SecureWithConfig(SecureConfig{`
			`HSTSMaxAge: 3600,`
			`HSTSPreloadEnabled: true,`
			`})(h)(c)`
			`assert.Equal(t, "max-age=3600; includeSubdomains; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))`

			`// Custom, with preload option enabled and subdomains excluded`
			`req.Header.Set(echo.HeaderXForwardedProto, "https")`
			`rec = httptest.NewRecorder()`
			`c = e.NewContext(req, rec)`
			`SecureWithConfig(SecureConfig{`
			`HSTSMaxAge: 3600,`
			`HSTSPreloadEnabled: true,`
			`HSTSExcludeSubdomains: true,`
			`})(h)(c)`
			`assert.Equal(t, "max-age=3600; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))`
Added test for secure middleware Signed-off-by: Vishal Rana <vr@labstack.com> 2016-05-03 17:32:28 +02:00			`}`