-
Notifications
You must be signed in to change notification settings - Fork 38
/
koa-helmet.spec.js
118 lines (92 loc) · 3.14 KB
/
koa-helmet.spec.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
'use strict';
const helmet = require('../');
const Koa = require('koa');
const request = require('supertest');
const test = require('ava');
test('it works with the default helmet call', t => {
const app = new Koa();
app.use(helmet());
app.use((ctx) => {
ctx.body = 'Hello world!';
});
return (
request(app.listen())
.get('/')
// contentSecurityPolicy
.expect('Content-Security-Policy', 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests')
// dnsPrefetchControl
.expect('X-DNS-Prefetch-Control', 'off')
// frameguard
.expect('X-Frame-Options', 'SAMEORIGIN')
// hsts
.expect('Strict-Transport-Security', 'max-age=15552000; includeSubDomains')
// ieNoOpen
.expect('X-Download-Options', 'noopen')
// noSniff
.expect('X-Content-Type-Options', 'nosniff')
// referrerPolicy
.expect('referrer-policy', 'no-referrer')
// permittedCrossDomainPolicies
.expect('x-permitted-cross-domain-policies', 'none')
// xssFilter
.expect('X-Xss-Protection', '0')
.expect(200)
.then(() => t.pass())
.catch((err) => {
t.fail(err);}
)
);
});
test('it sets individual headers properly', t => {
const app = new Koa();
app.use(
helmet.hsts({
force: true
})
);
app.use(helmet.contentSecurityPolicy());
app.use(
helmet.dnsPrefetchControl({
allow: false,
})
);
app.use(helmet.ieNoOpen());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
app.use(helmet.frameguard('deny'));
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.expectCt());
app.use(ctx => {
ctx.body = 'Hello world!';
});
return (
request(app.listen())
.get('/')
// contentSecurityPolicy
.expect('Content-Security-Policy', 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests')
// dnsPrefetchControl
.expect('X-DNS-Prefetch-Control', 'off')
// referrerPolicy
.expect('referrer-policy', 'no-referrer')
// ieNoOpen
.expect('X-Download-Options', 'noopen')
// hsts
.expect(
'Strict-Transport-Security',
'max-age=15552000; includeSubDomains'
)
// frameguard
.expect('X-Frame-Options', 'SAMEORIGIN')
// noSniff
.expect('X-Content-Type-Options', 'nosniff')
// permittedCrossDomainPolicies
.expect('X-Permitted-Cross-Domain-Policies', 'none')
.then(() => t.pass())
.catch(err => t.fail(err))
);
});
test('it reexports middleware exports', t => {
t.true('getDefaultDirectives' in helmet.contentSecurityPolicy);
t.true('dangerouslyDisableDefaultSrc' in helmet.contentSecurityPolicy);
});