/
test_secure_headers.py
192 lines (169 loc) · 7.53 KB
/
test_secure_headers.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# -*- coding: utf-8 -*-
# rdiffweb, A web interface to rdiff-backup repositories
# Copyright (C) 2012-2021 rdiffweb contributors
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Created on Oct 20, 2021
@author: Patrik Dufresne
"""
from parameterized import parameterized
import rdiffweb.test
class SecureHeadersTest(rdiffweb.test.WebCase):
login = True
def test_cookie_samesite_lax(self):
# Given a request made to rdiffweb
# When receiving the response
self.getPage('/')
# Then the header contains Set-Cookie with SameSite=Lax
cookie = self.assertHeader('Set-Cookie')
self.assertIn('SameSite=Lax', cookie)
def test_cookie_samesite_lax_without_session(self):
# Given not a client sending no cookie
self.cookies = None
# When a query is made to a static path (without session)
self.getPage('/static/blue.css')
# Then Set-Cookie is not defined.
self.assertNoHeader('Set-Cookie')
def test_cookie_with_https(self):
# Given an https request made to rdiffweb
self.getPage('/', headers=[('X-Forwarded-Proto', 'https')])
# When receiving the response
self.assertStatus(200)
# Then the header contains Set-Cookie with Secure
cookie = self.assertHeader('Set-Cookie')
self.assertIn('Secure', cookie)
@parameterized.expand(
[
('/invalid', 404),
('/browse/invalid', 404),
('/login', 301),
('/logout', 303),
]
)
def test_cookie_with_https_http_error(self, url, expected_error_code):
# Given an https request made to rdiffweb
self.getPage(url, headers=[('X-Forwarded-Proto', 'https')])
# When receiving the response
self.assertStatus(expected_error_code)
# Then the header contains Set-Cookie with Secure
cookie = self.assertHeader('Set-Cookie')
self.assertIn('Secure', cookie)
def test_cookie_with_http(self):
# Given an https request made to rdiffweb
self.getPage('/')
# When receiving the response
# Then the header contains Set-Cookie with Secure
cookie = self.assertHeader('Set-Cookie')
self.assertNotIn('Secure', cookie)
def test_get_with_wrong_origin(self):
# Given a GET request made to rdiffweb
# When the request is made using a different origin
self.getPage('/', headers=[('Origin', 'http://www.examples.com')])
# Then the response status it 200 OK.
self.assertStatus(200)
def test_post_with_wrong_origin(self):
# Given a POST request made to rdiffweb
# When the request is made using a different origin
self.getPage('/', headers=[('Origin', 'http://www.examples.com')], method='POST')
# Then the request is refused with 403 Forbiden
self.assertStatus(403)
self.assertInBody('Unexpected Origin header')
def test_post_with_prefixed_origin(self):
# Given a POST request made to rdiffweb
# When the request is made using a different origin
base = 'http://%s:%s' % (self.HOST + 'anything.com', self.PORT)
self.getPage('/dashboard/', headers=[('Origin', base)], method='POST')
# Then the request is accepted with 200 OK
self.assertStatus(403)
self.assertInBody('Unexpected Origin header')
def test_post_with_valid_origin(self):
# Given a POST request made to rdiffweb
# When the request is made using a different origin
base = 'http://%s:%s' % (self.HOST, self.PORT)
self.getPage('/', headers=[('Origin', base)], method='POST')
# Then the request is accepted with 200 OK
self.assertStatus(200)
def test_post_without_origin(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/', method='POST')
# Then the request is accepted with 200 OK
self.assertStatus(200)
def test_clickjacking_defense(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/')
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertHeaderItemValue('X-Frame-Options', 'DENY')
def test_no_cache(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/')
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertHeaderItemValue('Cache-control', 'no-cache')
self.assertHeaderItemValue('Cache-control', 'no-store')
self.assertHeaderItemValue('Cache-control', 'must-revalidate')
self.assertHeaderItemValue('Cache-control', 'max-age=0')
self.assertHeaderItemValue('Pragma', 'no-cache')
self.assertHeaderItemValue('Expires', '0')
def test_no_cache_with_static(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/static/default.css')
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertNoHeader('Cache-control')
self.assertNoHeader('Pragma')
self.assertNoHeader('Expires')
def test_referrer_policy(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/')
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertHeaderItemValue('Referrer-Policy', 'same-origin')
def test_nosniff(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/')
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertHeaderItemValue('X-Content-Type-Options', 'nosniff')
def test_xss_protection(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/')
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertHeaderItemValue('X-XSS-Protection', '1; mode=block')
def test_content_security_policy(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/')
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertHeaderItemValue(
'Content-Security-Policy',
"default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'",
)
def test_strict_transport_security(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/', headers=[('X-Forwarded-Proto', 'https')])
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertHeaderItemValue('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')