github.com/gofiber/fiber/v2@v2.47.0/middleware/helmet/helmet_test.go (about) 1 package helmet 2 3 import ( 4 "net/http/httptest" 5 "testing" 6 7 "github.com/gofiber/fiber/v2" 8 "github.com/gofiber/fiber/v2/utils" 9 ) 10 11 func Test_Default(t *testing.T) { 12 app := fiber.New() 13 14 app.Use(New()) 15 16 app.Get("/", func(c *fiber.Ctx) error { 17 return c.SendString("Hello, World!") 18 }) 19 20 resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", nil)) 21 utils.AssertEqual(t, nil, err) 22 utils.AssertEqual(t, "0", resp.Header.Get(fiber.HeaderXXSSProtection)) 23 utils.AssertEqual(t, "nosniff", resp.Header.Get(fiber.HeaderXContentTypeOptions)) 24 utils.AssertEqual(t, "SAMEORIGIN", resp.Header.Get(fiber.HeaderXFrameOptions)) 25 utils.AssertEqual(t, "", resp.Header.Get(fiber.HeaderContentSecurityPolicy)) 26 utils.AssertEqual(t, "no-referrer", resp.Header.Get(fiber.HeaderReferrerPolicy)) 27 utils.AssertEqual(t, "", resp.Header.Get(fiber.HeaderPermissionsPolicy)) 28 utils.AssertEqual(t, "require-corp", resp.Header.Get("Cross-Origin-Embedder-Policy")) 29 utils.AssertEqual(t, "same-origin", resp.Header.Get("Cross-Origin-Opener-Policy")) 30 utils.AssertEqual(t, "same-origin", resp.Header.Get("Cross-Origin-Resource-Policy")) 31 utils.AssertEqual(t, "?1", resp.Header.Get("Origin-Agent-Cluster")) 32 utils.AssertEqual(t, "off", resp.Header.Get("X-DNS-Prefetch-Control")) 33 utils.AssertEqual(t, "noopen", resp.Header.Get("X-Download-Options")) 34 utils.AssertEqual(t, "none", resp.Header.Get("X-Permitted-Cross-Domain-Policies")) 35 } 36 37 func Test_CustomValues_AllHeaders(t *testing.T) { 38 app := fiber.New() 39 40 app.Use(New(Config{ 41 // Custom values for all headers 42 XSSProtection: "0", 43 ContentTypeNosniff: "custom-nosniff", 44 XFrameOptions: "DENY", 45 HSTSExcludeSubdomains: true, 46 ContentSecurityPolicy: "default-src 'none'", 47 CSPReportOnly: true, 48 HSTSPreloadEnabled: true, 49 ReferrerPolicy: "origin", 50 PermissionPolicy: "geolocation=(self)", 51 CrossOriginEmbedderPolicy: "custom-value", 52 CrossOriginOpenerPolicy: "custom-value", 53 CrossOriginResourcePolicy: "custom-value", 54 OriginAgentCluster: "custom-value", 55 XDNSPrefetchControl: "custom-control", 56 XDownloadOptions: "custom-options", 57 XPermittedCrossDomain: "custom-policies", 58 })) 59 60 app.Get("/", func(c *fiber.Ctx) error { 61 return c.SendString("Hello, World!") 62 }) 63 64 resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", nil)) 65 utils.AssertEqual(t, nil, err) 66 // Assertions for custom header values 67 utils.AssertEqual(t, "0", resp.Header.Get(fiber.HeaderXXSSProtection)) 68 utils.AssertEqual(t, "custom-nosniff", resp.Header.Get(fiber.HeaderXContentTypeOptions)) 69 utils.AssertEqual(t, "DENY", resp.Header.Get(fiber.HeaderXFrameOptions)) 70 utils.AssertEqual(t, "default-src 'none'", resp.Header.Get(fiber.HeaderContentSecurityPolicyReportOnly)) 71 utils.AssertEqual(t, "origin", resp.Header.Get(fiber.HeaderReferrerPolicy)) 72 utils.AssertEqual(t, "geolocation=(self)", resp.Header.Get(fiber.HeaderPermissionsPolicy)) 73 utils.AssertEqual(t, "custom-value", resp.Header.Get("Cross-Origin-Embedder-Policy")) 74 utils.AssertEqual(t, "custom-value", resp.Header.Get("Cross-Origin-Opener-Policy")) 75 utils.AssertEqual(t, "custom-value", resp.Header.Get("Cross-Origin-Resource-Policy")) 76 utils.AssertEqual(t, "custom-value", resp.Header.Get("Origin-Agent-Cluster")) 77 utils.AssertEqual(t, "custom-control", resp.Header.Get("X-DNS-Prefetch-Control")) 78 utils.AssertEqual(t, "custom-options", resp.Header.Get("X-Download-Options")) 79 utils.AssertEqual(t, "custom-policies", resp.Header.Get("X-Permitted-Cross-Domain-Policies")) 80 } 81 82 func Test_RealWorldValues_AllHeaders(t *testing.T) { 83 app := fiber.New() 84 85 app.Use(New(Config{ 86 // Real-world values for all headers 87 XSSProtection: "0", 88 ContentTypeNosniff: "nosniff", 89 XFrameOptions: "SAMEORIGIN", 90 HSTSExcludeSubdomains: false, 91 ContentSecurityPolicy: "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests", 92 CSPReportOnly: false, 93 HSTSPreloadEnabled: true, 94 ReferrerPolicy: "no-referrer", 95 PermissionPolicy: "geolocation=(self)", 96 CrossOriginEmbedderPolicy: "require-corp", 97 CrossOriginOpenerPolicy: "same-origin", 98 CrossOriginResourcePolicy: "same-origin", 99 OriginAgentCluster: "?1", 100 XDNSPrefetchControl: "off", 101 XDownloadOptions: "noopen", 102 XPermittedCrossDomain: "none", 103 })) 104 105 app.Get("/", func(c *fiber.Ctx) error { 106 return c.SendString("Hello, World!") 107 }) 108 109 resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", nil)) 110 utils.AssertEqual(t, nil, err) 111 // Assertions for real-world header values 112 utils.AssertEqual(t, "0", resp.Header.Get(fiber.HeaderXXSSProtection)) 113 utils.AssertEqual(t, "nosniff", resp.Header.Get(fiber.HeaderXContentTypeOptions)) 114 utils.AssertEqual(t, "SAMEORIGIN", resp.Header.Get(fiber.HeaderXFrameOptions)) 115 utils.AssertEqual(t, "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests", resp.Header.Get(fiber.HeaderContentSecurityPolicy)) 116 utils.AssertEqual(t, "no-referrer", resp.Header.Get(fiber.HeaderReferrerPolicy)) 117 utils.AssertEqual(t, "geolocation=(self)", resp.Header.Get(fiber.HeaderPermissionsPolicy)) 118 utils.AssertEqual(t, "require-corp", resp.Header.Get("Cross-Origin-Embedder-Policy")) 119 utils.AssertEqual(t, "same-origin", resp.Header.Get("Cross-Origin-Opener-Policy")) 120 utils.AssertEqual(t, "same-origin", resp.Header.Get("Cross-Origin-Resource-Policy")) 121 utils.AssertEqual(t, "?1", resp.Header.Get("Origin-Agent-Cluster")) 122 utils.AssertEqual(t, "off", resp.Header.Get("X-DNS-Prefetch-Control")) 123 utils.AssertEqual(t, "noopen", resp.Header.Get("X-Download-Options")) 124 utils.AssertEqual(t, "none", resp.Header.Get("X-Permitted-Cross-Domain-Policies")) 125 } 126 127 func Test_Next(t *testing.T) { 128 app := fiber.New() 129 130 app.Use(New(Config{ 131 Next: func(ctx *fiber.Ctx) bool { 132 return ctx.Path() == "/next" 133 }, 134 ReferrerPolicy: "no-referrer", 135 })) 136 137 app.Get("/", func(c *fiber.Ctx) error { 138 return c.SendString("Hello, World!") 139 }) 140 app.Get("/next", func(c *fiber.Ctx) error { 141 return c.SendString("Skipped!") 142 }) 143 144 resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", nil)) 145 utils.AssertEqual(t, nil, err) 146 utils.AssertEqual(t, "no-referrer", resp.Header.Get(fiber.HeaderReferrerPolicy)) 147 148 resp, err = app.Test(httptest.NewRequest(fiber.MethodGet, "/next", nil)) 149 utils.AssertEqual(t, nil, err) 150 utils.AssertEqual(t, "", resp.Header.Get(fiber.HeaderReferrerPolicy)) 151 } 152 153 func Test_ContentSecurityPolicy(t *testing.T) { 154 app := fiber.New() 155 156 app.Use(New(Config{ 157 ContentSecurityPolicy: "default-src 'none'", 158 })) 159 160 app.Get("/", func(c *fiber.Ctx) error { 161 return c.SendString("Hello, World!") 162 }) 163 164 resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", nil)) 165 utils.AssertEqual(t, nil, err) 166 utils.AssertEqual(t, "default-src 'none'", resp.Header.Get(fiber.HeaderContentSecurityPolicy)) 167 } 168 169 func Test_ContentSecurityPolicyReportOnly(t *testing.T) { 170 app := fiber.New() 171 172 app.Use(New(Config{ 173 ContentSecurityPolicy: "default-src 'none'", 174 CSPReportOnly: true, 175 })) 176 177 app.Get("/", func(c *fiber.Ctx) error { 178 return c.SendString("Hello, World!") 179 }) 180 181 resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", nil)) 182 utils.AssertEqual(t, nil, err) 183 utils.AssertEqual(t, "default-src 'none'", resp.Header.Get(fiber.HeaderContentSecurityPolicyReportOnly)) 184 utils.AssertEqual(t, "", resp.Header.Get(fiber.HeaderContentSecurityPolicy)) 185 } 186 187 func Test_PermissionsPolicy(t *testing.T) { 188 app := fiber.New() 189 190 app.Use(New(Config{ 191 PermissionPolicy: "microphone=()", 192 })) 193 194 app.Get("/", func(c *fiber.Ctx) error { 195 return c.SendString("Hello, World!") 196 }) 197 198 resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", nil)) 199 utils.AssertEqual(t, nil, err) 200 utils.AssertEqual(t, "microphone=()", resp.Header.Get(fiber.HeaderPermissionsPolicy)) 201 }