From bca1f5d8e1f7e80a52e94418411347813ecac03f Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 8 Jul 2017 12:14:20 +0100 Subject: [PATCH] test hardening headers --- tests/server.test.ts | 97 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 82 insertions(+), 15 deletions(-) diff --git a/tests/server.test.ts b/tests/server.test.ts index edbfed4..3975bc0 100644 --- a/tests/server.test.ts +++ b/tests/server.test.ts @@ -2,7 +2,9 @@ import { expect } from 'chai'; import { runServer } from './helpers'; import * as fs from 'fs'; import * as path from 'path'; +import { Options } from '../src/types'; +const PKG = require('../package.json'); describe('Server', function () { it('Should be usable', function (done) { @@ -20,21 +22,6 @@ describe('Server', function () { }); }); - it('Should nave no x-powered-by header', function (done) { - runServer({ - allowed_ips: [], - basicAuth: [], - dirList: false, - serveDir: 'site/', - opbeat: false, - open: false - }, '/index.html', function (response : any) { - expect(response.status).to.equal(200); - expect(response.headers.get('x-powered-by')).to.equal(null); - done(); - }); - }); - describe('index route', function () { const body = fs.readFileSync(path.join(__dirname, '..', 'site', 'index.html')).toString(); @@ -54,4 +41,84 @@ describe('Server', function () { }); }); }); + + describe('secure headers', function () { + const SERVER_SETTINGS = { + allowed_ips: [], + basicAuth: [], + dirList: false, + serveDir: 'site/', + opbeat: false, + open: false + } as Options; + + it('Should have no powered by header', function (done) { + runServer(SERVER_SETTINGS, '/index.html', function (response : any) { + expect(response.status).to.equal(200); + expect(response.headers.get('x-powered-by')).to.contain('tstatic'); + expect(response.headers.get('x-powered-by')).to.contain(PKG.version); + done(); + }); + }); + + it('Should have xss block header', function (done) { + runServer(SERVER_SETTINGS, '/index.html', function (response : any) { + expect(response.status).to.equal(200); + expect(response.headers.get('x-xss-protection')).to.equal('1; mode=block'); + done(); + }); + }); + + it('Should block iframes', function (done) { + runServer(SERVER_SETTINGS, '/index.html', function (response : any) { + expect(response.status).to.equal(200); + expect(response.headers.get('x-frame-options')).to.equal('SAMEORIGIN'); + done(); + }); + }); + + it('Should have expect-ct header', function (done) { + runServer(SERVER_SETTINGS, '/index.html', function (response : any) { + expect(response.status).to.equal(200); + expect(response.headers.get('expect-ct')).to.equal('max-age=1000'); + done(); + }); + }); + + it('Should block DNS prefetch', function (done) { + runServer(SERVER_SETTINGS, '/index.html', function (response : any) { + expect(response.status).to.equal(200); + expect(response.headers.get('x-dns-prefetch-control')).to.equal('off'); + done(); + }); + }); + + it('Should block open on IE', function (done) { + runServer(SERVER_SETTINGS, '/index.html', function (response : any) { + expect(response.status).to.equal(200); + expect(response.headers.get('x-download-options')).to.equal('noopen'); + done(); + }); + }); + + it('Should block cache', function (done) { + runServer(SERVER_SETTINGS, '/index.html', function (response : any) { + expect(response.status).to.equal(200); + expect(response.headers.get('cache-control')).to.contain('no-store'); + expect(response.headers.get('cache-control')).to.contain('no-cache'); + expect(response.headers.get('pragma')).to.contain('no-cache'); + expect(response.headers.get('surrogate-control')).to.contain('no-store'); + expect(response.headers.get('expires')).to.contain(0); + done(); + }); + }); + + it('Should block cache', function (done) { + runServer(SERVER_SETTINGS, '/index.html', function (response : any) { + expect(response.status).to.equal(200); + expect(response.headers.get('referrer-policy')).to.contain('same-origin'); + done(); + }); + }); + }); });