security_test.go
123 lines1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package application
import (
"context"
"net/http"
"net/http/httptest"
"strings"
"testing"
)
func TestSecurityHeaders_SetsStandardHeaders(t *testing.T) {
inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
mw := SecurityHeaders()
handler := mw(inner)
rec := httptest.NewRecorder()
req := httptest.NewRequest("GET", "/", nil)
handler.ServeHTTP(rec, req)
tests := []struct {
header string
expected string
}{
{"X-Content-Type-Options", "nosniff"},
{"X-Frame-Options", "DENY"},
{"Referrer-Policy", "strict-origin-when-cross-origin"},
{"Permissions-Policy", "camera=(), microphone=(), geolocation=()"},
}
for _, tc := range tests {
got := rec.Header().Get(tc.header)
if got != tc.expected {
t.Errorf("header %s: expected %q, got %q", tc.header, tc.expected, got)
}
}
}
func TestSecurityHeaders_CSPIncludesNonce(t *testing.T) {
inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
mw := SecurityHeaders()
handler := mw(inner)
rec := httptest.NewRecorder()
// Simulate a request with a nonce in context (as NonceMiddleware would set)
req := httptest.NewRequest("GET", "/", nil)
ctx := context.WithValue(req.Context(), nonceKey{}, "test-nonce-123")
req = req.WithContext(ctx)
handler.ServeHTTP(rec, req)
csp := rec.Header().Get("Content-Security-Policy")
if csp == "" {
t.Fatal("expected Content-Security-Policy header to be set when nonce is present")
}
if !strings.Contains(csp, "'nonce-test-nonce-123'") {
t.Errorf("CSP should contain nonce, got: %s", csp)
}
if !strings.Contains(csp, "'strict-dynamic'") {
t.Errorf("CSP should contain strict-dynamic, got: %s", csp)
}
if !strings.Contains(csp, "default-src 'self'") {
t.Errorf("CSP should contain default-src 'self', got: %s", csp)
}
if !strings.Contains(csp, "frame-ancestors 'none'") {
t.Errorf("CSP should contain frame-ancestors 'none', got: %s", csp)
}
}
func TestSecurityHeaders_NoCSPWithoutNonce(t *testing.T) {
inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
mw := SecurityHeaders()
handler := mw(inner)
rec := httptest.NewRecorder()
req := httptest.NewRequest("GET", "/", nil)
// No nonce in context
handler.ServeHTTP(rec, req)
csp := rec.Header().Get("Content-Security-Policy")
if csp != "" {
t.Errorf("expected no CSP header without nonce, got: %s", csp)
}
// Other security headers should still be set
if rec.Header().Get("X-Content-Type-Options") != "nosniff" {
t.Error("X-Content-Type-Options should still be set without nonce")
}
}
func TestSecurityHeaders_FullMiddlewareChain(t *testing.T) {
// Test NonceMiddleware + SecurityHeaders working together
inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
// Chain: NonceMiddleware -> SecurityHeaders -> handler
nonceMW := NonceMiddleware()
secMW := SecurityHeaders()
handler := nonceMW(secMW(inner))
rec := httptest.NewRecorder()
req := httptest.NewRequest("GET", "/", nil)
handler.ServeHTTP(rec, req)
csp := rec.Header().Get("Content-Security-Policy")
if csp == "" {
t.Fatal("expected CSP to be set when NonceMiddleware is in chain")
}
if !strings.Contains(csp, "'nonce-") {
t.Errorf("CSP should contain a nonce, got: %s", csp)
}
}