x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

chore(test): add test for cache control and security headers
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 43s
Details
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 49s
Details

Browse Source
This commit was merged in pull request #334.
This commit is contained in:
Tim Wundenberg
2024-12-16 22:51:23 +01:00
parent 9bb603970d
commit 23aa3d4b0e
4 changed files with 89 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
main_test.go
View File

@@ -30,8 +30,83 @@ var (
port atomic.Int32
)
func TestSecurity(t *testing.T) {
func TestSecurityHeader(t *testing.T) {
t.Parallel()
t.Run("should keep caching for static content", func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/static/favicon.svg", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
cacheControl := resp.Header.Get("Cache-Control")
assert.Equal(t, "", cacheControl)
})
t.Run("should disable caching for dynamic content", func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
req, err := http.NewRequestWithContext(ctx, "GET", basePath, nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
cacheControl := resp.Header.Get("Cache-Control")
assert.Equal(t, "no-cache, no-store, must-revalidate", cacheControl)
})
t.Run("should include security headers", func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
req, err := http.NewRequestWithContext(ctx, "GET", basePath, nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
value := resp.Header.Get("X-Content-Type-Options")
assert.Equal(t, "nosniff", value)
value = resp.Header.Get("Access-Control-Allow-Origin")
assert.Equal(t, basePath, value)
value = resp.Header.Get("Access-Control-Allow-Methods")
assert.Equal(t, "GET, POST, DELETE", value)
value = resp.Header.Get("Content-Security-Policy")
assert.Equal(t, "default-src 'none';"+
"script-src 'self' https://umami.me-fit.eu"+
"connect-src 'self' https://umami.me-fit.eu"+
"img-src 'self'"+
"style-src 'self'"+
"form-action 'self'"+
"frame-ancestors 'none'", value)
value = resp.Header.Get("Cross-Origin-Resource-Policy")
assert.Equal(t, "same-origin", value)
value = resp.Header.Get("Cross-Origin-Opener-Policy")
assert.Equal(t, "same-origin", value)
value = resp.Header.Get("Cross-Origin-Embedder-Policy")
assert.Equal(t, "require-corp", value)
value = resp.Header.Get("Permissions-Policy")
assert.Equal(t, "geolocation=(), camera=(), microphone=(), interest-cohort=()", value)
value = resp.Header.Get("Referrer-Policy")
assert.Equal(t, "strict-origin-when-cross-origin", value)
value = resp.Header.Get("Strict-Transport-Security")
assert.Equal(t, "max-age=63072000; includeSubDomains; preload", value)
})
}
func TestAuth(t *testing.T) {