2016-04-24 17:10:45 +02:00
|
|
|
package middleware
|
|
|
|
|
2016-05-03 17:32:28 +02:00
|
|
|
import (
|
|
|
|
"net/http"
|
2016-09-23 07:53:44 +02:00
|
|
|
"net/http/httptest"
|
2016-05-03 17:32:28 +02:00
|
|
|
"testing"
|
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
"github.com/labstack/echo/v5"
|
2016-05-03 17:32:28 +02:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestSecure(t *testing.T) {
|
|
|
|
e := echo.New()
|
2018-10-14 17:16:58 +02:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
2016-09-23 07:53:44 +02:00
|
|
|
rec := httptest.NewRecorder()
|
2016-05-03 17:32:28 +02:00
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
h := func(c echo.Context) error {
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Default
|
2021-07-15 22:34:01 +02:00
|
|
|
err := Secure()(h)(c)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2016-05-03 17:32:28 +02:00
|
|
|
assert.Equal(t, "1; mode=block", rec.Header().Get(echo.HeaderXXSSProtection))
|
|
|
|
assert.Equal(t, "nosniff", rec.Header().Get(echo.HeaderXContentTypeOptions))
|
|
|
|
assert.Equal(t, "SAMEORIGIN", rec.Header().Get(echo.HeaderXFrameOptions))
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
|
2019-08-02 00:27:09 +02:00
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderReferrerPolicy))
|
2021-07-15 22:34:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestSecureWithConfig(t *testing.T) {
|
|
|
|
e := echo.New()
|
|
|
|
h := func(c echo.Context) error {
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
}
|
2016-05-03 17:32:28 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
2016-09-23 07:53:44 +02:00
|
|
|
req.Header.Set(echo.HeaderXForwardedProto, "https")
|
2021-07-15 22:34:01 +02:00
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
mw, err := SecureConfig{
|
2016-05-03 17:32:28 +02:00
|
|
|
XSSProtection: "",
|
|
|
|
ContentTypeNosniff: "",
|
|
|
|
XFrameOptions: "",
|
|
|
|
HSTSMaxAge: 3600,
|
|
|
|
ContentSecurityPolicy: "default-src 'self'",
|
2019-08-02 00:27:09 +02:00
|
|
|
ReferrerPolicy: "origin",
|
2021-07-15 22:34:01 +02:00
|
|
|
}.ToMiddleware()
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
err = mw(h)(c)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2016-05-03 17:32:28 +02:00
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
|
|
|
|
assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
|
|
|
assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
|
2019-02-27 08:32:07 +02:00
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
|
2019-08-02 00:27:09 +02:00
|
|
|
assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))
|
2019-02-27 08:32:07 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestSecureWithConfig_CSPReportOnly(t *testing.T) {
|
2019-02-27 08:32:07 +02:00
|
|
|
// Custom with CSPReportOnly flag
|
2021-07-15 22:34:01 +02:00
|
|
|
e := echo.New()
|
|
|
|
h := func(c echo.Context) error {
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
}
|
|
|
|
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
2019-02-27 08:32:07 +02:00
|
|
|
req.Header.Set(echo.HeaderXForwardedProto, "https")
|
2021-07-15 22:34:01 +02:00
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
|
|
|
|
err := SecureWithConfig(SecureConfig{
|
2019-02-27 08:32:07 +02:00
|
|
|
XSSProtection: "",
|
|
|
|
ContentTypeNosniff: "",
|
|
|
|
XFrameOptions: "",
|
|
|
|
HSTSMaxAge: 3600,
|
|
|
|
ContentSecurityPolicy: "default-src 'self'",
|
|
|
|
CSPReportOnly: true,
|
2019-08-02 00:27:09 +02:00
|
|
|
ReferrerPolicy: "origin",
|
2019-02-27 08:32:07 +02:00
|
|
|
})(h)(c)
|
2021-07-15 22:34:01 +02:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2019-02-27 08:32:07 +02:00
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
|
|
|
|
assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
|
|
|
assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
|
2019-08-02 00:27:09 +02:00
|
|
|
assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))
|
2021-07-15 22:34:01 +02:00
|
|
|
}
|
2019-03-06 20:22:19 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
func TestSecureWithConfig_HSTSPreloadEnabled(t *testing.T) {
|
|
|
|
// Custom with CSPReportOnly flag
|
|
|
|
e := echo.New()
|
|
|
|
h := func(c echo.Context) error {
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
}
|
|
|
|
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
2019-03-06 20:22:19 +02:00
|
|
|
// Custom, with preload option enabled
|
|
|
|
req.Header.Set(echo.HeaderXForwardedProto, "https")
|
2021-07-15 22:34:01 +02:00
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
|
|
|
|
err := SecureWithConfig(SecureConfig{
|
2019-03-06 20:22:19 +02:00
|
|
|
HSTSMaxAge: 3600,
|
|
|
|
HSTSPreloadEnabled: true,
|
|
|
|
})(h)(c)
|
2021-07-15 22:34:01 +02:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2019-03-06 20:22:19 +02:00
|
|
|
assert.Equal(t, "max-age=3600; includeSubdomains; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestSecureWithConfig_HSTSExcludeSubdomains(t *testing.T) {
|
|
|
|
// Custom with CSPReportOnly flag
|
|
|
|
e := echo.New()
|
|
|
|
h := func(c echo.Context) error {
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
}
|
|
|
|
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
|
|
|
2019-03-06 20:22:19 +02:00
|
|
|
// Custom, with preload option enabled and subdomains excluded
|
|
|
|
req.Header.Set(echo.HeaderXForwardedProto, "https")
|
2021-07-15 22:34:01 +02:00
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
|
|
|
|
err := SecureWithConfig(SecureConfig{
|
2019-03-06 20:22:19 +02:00
|
|
|
HSTSMaxAge: 3600,
|
|
|
|
HSTSPreloadEnabled: true,
|
|
|
|
HSTSExcludeSubdomains: true,
|
|
|
|
})(h)(c)
|
2021-07-15 22:34:01 +02:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2019-03-06 20:22:19 +02:00
|
|
|
assert.Equal(t, "max-age=3600; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))
|
2016-05-03 17:32:28 +02:00
|
|
|
}
|