Sign upLogin

mike-goodwin/owasp-threat-dragon

View on GitHub
Star
td.tests/serverspec/securityheaders.config_spec.js

Summary

Maintainability
A
3 hrs
Test Coverage
'use strict';

var request = require('supertest');
var express = require('express');
var finish_test = require('./helpers/supertest-jasmine');

describe('security header tests', function () {

    var app;

    beforeEach(function () {

        app = express();
        require('../../td/config/securityheaders.config')(app, true);
        app.get('/', function (req, res) {
            res.status(200).send('result');
        });

    });

    it('should remove the x-powered-by header', function (done) {

        function noXPoweredBy(res) {

            if (res.header["x-powered-by"]) {
                throw new Error('Found X-Powered-By header: ' + res.header["x-powered-by"]);
            };
        };

        request(app)
            .get('/')
            .expect(200)
            .expect(noXPoweredBy)
            .end(finish_test(done));
    });

    it('should set x-frame-options DENY', function (done) {

        request(app)
            .get('/')
            .expect(200)
            .expect('x-frame-options', 'DENY')
            .end(finish_test(done));

    });

    it('should set x-content-type-options nosniff', function (done) {

        request(app)
            .get('/')
            .expect(200)
            .expect('x-content-type-options', 'nosniff')
            .end(finish_test(done));

    });

    it('should set x-xss-protection', function (done) {

        request(app)
            .get('/')
            .expect(200)
            .expect('x-xss-protection', '1; mode=block')
            .end(finish_test(done));

    });

    it('should set HSTS polcy', function (done) {

        request(app)
            .get('/')
            .set('protocol', 'https')
            .expect(200)
            .expect('strict-transport-security', 'max-age=7776000')
            .end(finish_test(done));

    });

    it('should set CSP', function (done) {

        var csp = 'default-src \'none\'; script-src \'self\'; conn' +
            'ect-src \'self\'; style-src \'self\' https://fonts.googleapis.com \'' +
            'unsafe-inline\'; img-src \'self\' data:; font-src \'self\' https://fonts.gstatic.com ' +
            'data:; form-action \'self\' https://github.com; report-uri https://owaspthreatdragon.report-uri.com/r/d/csp/enforce';

        request(app)
            .get('/')
            .expect(200)
            .expect('content-security-policy', csp)
            .expect('x-content-security-policy', csp)
            .expect('x-webkit-csp', csp)
            .end(finish_test(done));

    });

    it('should set a referrer policy', function (done) {

        var referrer = 'strict-origin-when-cross-origin';

        request(app)
            .get('/')
            .expect(200)
            .expect('referrer-policy', referrer)
            .end(finish_test(done));

    });
});