44 lines
1011 B
Go
44 lines
1011 B
Go
|
package main
|
||
|
|
|
||
|
|
import (
|
||
|
|
"bytes"
|
||
|
|
"io"
|
||
|
|
"net/http"
|
||
|
|
"net/http/httptest"
|
||
|
|
"testing"
|
||
|
|
|
||
|
|
"snippetbox.chaosfem.tw/internal/assert"
|
||
|
|
)
|
||
|
|
|
||
|
|
func TestSecureHeaders(t *testing.T) {
|
||
|
|
rr := httptest.NewRecorder()
|
||
|
|
|
||
|
|
r, err := http.NewRequest(http.MethodGet, "/", nil)
|
||
|
|
if err != nil {
|
||
|
|
t.Fatal(err)
|
||
|
|
}
|
||
|
|
|
||
|
|
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
|
|
w.Write([]byte("OK"))
|
||
|
|
})
|
||
|
|
|
||
|
|
secureHeaders(next).ServeHTTP(rr, r)
|
||
|
|
|
||
|
|
rs := rr.Result()
|
||
|
|
|
||
|
|
assert.Equal(t, rs.Header.Get("Content-Security-Policy"), "default-src 'self'; style-src 'self' fonts.googleapis.com; font-src fonts.gstatic.com")
|
||
|
|
assert.Equal(t, rs.Header.Get("Referrer-Policy"), "origin-when-cross-origin")
|
||
|
|
assert.Equal(t, rs.Header.Get("X-Content-Type-Options"), "nosniff")
|
||
|
|
assert.Equal(t, rs.Header.Get("X-Frame-Options"), "deny")
|
||
|
|
assert.Equal(t, rs.Header.Get("X-XSS-Protection"), "0")
|
||
|
|
|
||
|
|
defer rs.Body.Close()
|
||
|
|
|
||
|
|
body, err := io.ReadAll(rs.Body)
|
||
|
|
if err != nil {
|
||
|
|
t.Fatal(err)
|
||
|
|
}
|
||
|
|
|
||
|
|
assert.Equal(t, string(bytes.TrimSpace(body)), "OK")
|
||
|
|
}
|