You've already forked agentic-coding-workflow
bugfix
This commit is contained in:
@@ -0,0 +1,49 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func okHandler() http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
_, _ = w.Write([]byte("ok"))
|
||||
})
|
||||
}
|
||||
|
||||
func TestSecurityHeaders_PresentWhenEnabled(t *testing.T) {
|
||||
h := SecurityHeaders(SecurityHeadersConfig{Enabled: true})(okHandler())
|
||||
rr := httptest.NewRecorder()
|
||||
h.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/", nil))
|
||||
|
||||
require.Equal(t, "nosniff", rr.Header().Get("X-Content-Type-Options"))
|
||||
require.Equal(t, "DENY", rr.Header().Get("X-Frame-Options"))
|
||||
require.Equal(t, "no-referrer", rr.Header().Get("Referrer-Policy"))
|
||||
require.Empty(t, rr.Header().Get("Strict-Transport-Security"), "HSTS only under TLS")
|
||||
}
|
||||
|
||||
func TestSecurityHeaders_HSTSOnlyUnderTLS(t *testing.T) {
|
||||
h := SecurityHeaders(SecurityHeadersConfig{Enabled: true, TLSEnabled: true})(okHandler())
|
||||
rr := httptest.NewRecorder()
|
||||
h.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/", nil))
|
||||
require.Contains(t, rr.Header().Get("Strict-Transport-Security"), "max-age=31536000")
|
||||
}
|
||||
|
||||
func TestSecurityHeaders_DisabledIsPassthrough(t *testing.T) {
|
||||
h := SecurityHeaders(SecurityHeadersConfig{Enabled: false})(okHandler())
|
||||
rr := httptest.NewRecorder()
|
||||
h.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/", nil))
|
||||
require.Empty(t, rr.Header().Get("X-Content-Type-Options"))
|
||||
require.Equal(t, http.StatusOK, rr.Code)
|
||||
}
|
||||
|
||||
func TestSecurityHeaders_CSPOptIn(t *testing.T) {
|
||||
h := SecurityHeaders(SecurityHeadersConfig{Enabled: true, ContentSecurityPolicy: "default-src 'self'"})(okHandler())
|
||||
rr := httptest.NewRecorder()
|
||||
h.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/", nil))
|
||||
require.Equal(t, "default-src 'self'", rr.Header().Get("Content-Security-Policy"))
|
||||
}
|
||||
Reference in New Issue
Block a user