Files
agentic-coding-workflow/internal/transport/http/middleware/security_headers_test.go
T
2026-06-22 08:55:57 +08:00

50 lines
1.8 KiB
Go

package middleware
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/stretchr/testify/require"
)
func okHandler() http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte("ok"))
})
}
func TestSecurityHeaders_PresentWhenEnabled(t *testing.T) {
h := SecurityHeaders(SecurityHeadersConfig{Enabled: true})(okHandler())
rr := httptest.NewRecorder()
h.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/", nil))
require.Equal(t, "nosniff", rr.Header().Get("X-Content-Type-Options"))
require.Equal(t, "DENY", rr.Header().Get("X-Frame-Options"))
require.Equal(t, "no-referrer", rr.Header().Get("Referrer-Policy"))
require.Empty(t, rr.Header().Get("Strict-Transport-Security"), "HSTS only under TLS")
}
func TestSecurityHeaders_HSTSOnlyUnderTLS(t *testing.T) {
h := SecurityHeaders(SecurityHeadersConfig{Enabled: true, TLSEnabled: true})(okHandler())
rr := httptest.NewRecorder()
h.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/", nil))
require.Contains(t, rr.Header().Get("Strict-Transport-Security"), "max-age=31536000")
}
func TestSecurityHeaders_DisabledIsPassthrough(t *testing.T) {
h := SecurityHeaders(SecurityHeadersConfig{Enabled: false})(okHandler())
rr := httptest.NewRecorder()
h.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/", nil))
require.Empty(t, rr.Header().Get("X-Content-Type-Options"))
require.Equal(t, http.StatusOK, rr.Code)
}
func TestSecurityHeaders_CSPOptIn(t *testing.T) {
h := SecurityHeaders(SecurityHeadersConfig{Enabled: true, ContentSecurityPolicy: "default-src 'self'"})(okHandler())
rr := httptest.NewRecorder()
h.ServeHTTP(rr, httptest.NewRequest(http.MethodGet, "/", nil))
require.Equal(t, "default-src 'self'", rr.Header().Get("Content-Security-Policy"))
}