Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F7889947
http_security_plug_test.exs
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Award Token
Flag For Later
Size
3 KB
Referenced Files
None
Subscribers
None
http_security_plug_test.exs
View Options
# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule
Pleroma.Web.Plugs.HTTPSecurityPlugTest
do
use
Pleroma.Web.ConnCase
alias
Pleroma.Config
alias
Plug.Conn
setup
do
:
clear_config
([
:http_securiy
,
:enabled
])
setup
do
:
clear_config
([
:http_security
,
:sts
])
setup
do
:
clear_config
([
:http_security
,
:referrer_policy
])
describe
"http security enabled"
do
setup
do
Config
.
put
([
:http_security
,
:enabled
],
true
)
end
test
"it sends CSP headers when enabled"
,
%{
conn
:
conn
}
do
conn
=
get
(
conn
,
"/api/v1/instance"
)
refute
Conn
.
get_resp_header
(
conn
,
"x-xss-protection"
)
==
[]
refute
Conn
.
get_resp_header
(
conn
,
"x-permitted-cross-domain-policies"
)
==
[]
refute
Conn
.
get_resp_header
(
conn
,
"x-frame-options"
)
==
[]
refute
Conn
.
get_resp_header
(
conn
,
"x-content-type-options"
)
==
[]
refute
Conn
.
get_resp_header
(
conn
,
"x-download-options"
)
==
[]
refute
Conn
.
get_resp_header
(
conn
,
"referrer-policy"
)
==
[]
refute
Conn
.
get_resp_header
(
conn
,
"content-security-policy"
)
==
[]
end
test
"it sends STS headers when enabled"
,
%{
conn
:
conn
}
do
Config
.
put
([
:http_security
,
:sts
],
true
)
conn
=
get
(
conn
,
"/api/v1/instance"
)
refute
Conn
.
get_resp_header
(
conn
,
"strict-transport-security"
)
==
[]
refute
Conn
.
get_resp_header
(
conn
,
"expect-ct"
)
==
[]
end
test
"it does not send STS headers when disabled"
,
%{
conn
:
conn
}
do
Config
.
put
([
:http_security
,
:sts
],
false
)
conn
=
get
(
conn
,
"/api/v1/instance"
)
assert
Conn
.
get_resp_header
(
conn
,
"strict-transport-security"
)
==
[]
assert
Conn
.
get_resp_header
(
conn
,
"expect-ct"
)
==
[]
end
test
"referrer-policy header reflects configured value"
,
%{
conn
:
conn
}
do
conn
=
get
(
conn
,
"/api/v1/instance"
)
assert
Conn
.
get_resp_header
(
conn
,
"referrer-policy"
)
==
[
"same-origin"
]
Config
.
put
([
:http_security
,
:referrer_policy
],
"no-referrer"
)
conn
=
build_conn
()
|>
get
(
"/api/v1/instance"
)
assert
Conn
.
get_resp_header
(
conn
,
"referrer-policy"
)
==
[
"no-referrer"
]
end
test
"it sends `report-to` & `report-uri` CSP response headers"
do
conn
=
build_conn
()
|>
get
(
"/api/v1/instance"
)
[
csp
]
=
Conn
.
get_resp_header
(
conn
,
"content-security-policy"
)
assert
csp
=~
~r|report-uri https://endpoint.com;report-to csp-endpoint;|
[
reply_to
]
=
Conn
.
get_resp_header
(
conn
,
"reply-to"
)
assert
reply_to
==
"{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
end
end
test
"it does not send CSP headers when disabled"
,
%{
conn
:
conn
}
do
Config
.
put
([
:http_security
,
:enabled
],
false
)
conn
=
get
(
conn
,
"/api/v1/instance"
)
assert
Conn
.
get_resp_header
(
conn
,
"x-xss-protection"
)
==
[]
assert
Conn
.
get_resp_header
(
conn
,
"x-permitted-cross-domain-policies"
)
==
[]
assert
Conn
.
get_resp_header
(
conn
,
"x-frame-options"
)
==
[]
assert
Conn
.
get_resp_header
(
conn
,
"x-content-type-options"
)
==
[]
assert
Conn
.
get_resp_header
(
conn
,
"x-download-options"
)
==
[]
assert
Conn
.
get_resp_header
(
conn
,
"referrer-policy"
)
==
[]
assert
Conn
.
get_resp_header
(
conn
,
"content-security-policy"
)
==
[]
end
end
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Thu, Oct 2, 2:49 AM (1 d, 1 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
487013
Default Alt Text
http_security_plug_test.exs (3 KB)
Attached To
Mode
rPUBE pleroma-upstream
Attached
Detach File
Event Timeline
Log In to Comment