diff options
Diffstat (limited to 'web/web_test.go')
| -rw-r--r-- | web/web_test.go | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/web/web_test.go b/web/web_test.go index 89ca998..c6cf306 100644 --- a/web/web_test.go +++ b/web/web_test.go @@ -10,10 +10,15 @@ import ( "adammathes.com/neko/api" "adammathes.com/neko/config" + "adammathes.com/neko/internal/safehttp" "adammathes.com/neko/models" "golang.org/x/crypto/bcrypt" ) +func init() { + safehttp.AllowLocal = true +} + func setupTestDB(t *testing.T) { t.Helper() config.Config.DBFile = filepath.Join(t.TempDir(), "test.db") @@ -774,3 +779,23 @@ func TestCSRFMiddleware(t *testing.T) { t.Errorf("Expected 200 for POST with valid token, got %d", rr.Code) } } + +func TestSecurityHeadersMiddleware(t *testing.T) { + handler := SecurityHeadersMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + + req := httptest.NewRequest("GET", "/", nil) + rr := httptest.NewRecorder() + handler.ServeHTTP(rr, req) + + if rr.Header().Get("X-Content-Type-Options") != "nosniff" { + t.Error("Missing X-Content-Type-Options: nosniff") + } + if rr.Header().Get("X-Frame-Options") != "DENY" { + t.Error("Missing X-Frame-Options: DENY") + } + if rr.Header().Get("Content-Security-Policy") == "" { + t.Error("Missing Content-Security-Policy") + } +} |