veza/veza-backend-api/internal/middleware/security_headers_test.go

package middleware

import (
	"net/http"
	"net/http/httptest"
	"os"
	"testing"

	"github.com/gin-gonic/gin"
	"github.com/stretchr/testify/assert"
)

// TestSecurityHeaders vérifie que les headers de sécurité sont ajoutés
// BE-SEC-011: Test pour valider que les headers sécurité sont présents
func TestSecurityHeaders(t *testing.T) {
	gin.SetMode(gin.TestMode)
	router := gin.New()
	router.Use(SecurityHeaders())
	router.GET("/test", func(c *gin.Context) {
		c.JSON(http.StatusOK, gin.H{"message": "test"})
	})

	req, _ := http.NewRequest("GET", "/test", nil)
	w := httptest.NewRecorder()
	router.ServeHTTP(w, req)

	// BE-SEC-011: Vérifier que tous les headers de sécurité sont présents
	// HSTS est seulement en production, donc on vérifie conditionnellement
	if os.Getenv("APP_ENV") == "production" || os.Getenv("APP_ENV") == "prod" {
		assert.Equal(t, "max-age=31536000; includeSubDomains; preload", w.Header().Get("Strict-Transport-Security"))
	} else {
		// En développement, HSTS ne doit pas être présent
		assert.Empty(t, w.Header().Get("Strict-Transport-Security"))
	}

	assert.Equal(t, "nosniff", w.Header().Get("X-Content-Type-Options"))
	assert.Equal(t, "DENY", w.Header().Get("X-Frame-Options"))
	assert.Equal(t, "1; mode=block", w.Header().Get("X-XSS-Protection"))
	assert.Equal(t, "strict-origin-when-cross-origin", w.Header().Get("Referrer-Policy"))
	assert.Contains(t, w.Header().Get("Permissions-Policy"), "geolocation=()")
	assert.Contains(t, w.Header().Get("Content-Security-Policy"), "default-src 'none'")
	assert.Contains(t, w.Header().Get("Content-Security-Policy"), "frame-ancestors 'none'")

	// BE-SEC-011: Nouveaux headers ajoutés
	assert.Equal(t, "none", w.Header().Get("X-Permitted-Cross-Domain-Policies"))
	assert.Equal(t, "require-corp", w.Header().Get("Cross-Origin-Embedder-Policy"))
	assert.Equal(t, "same-origin", w.Header().Get("Cross-Origin-Opener-Policy"))
	assert.Equal(t, "same-origin", w.Header().Get("Cross-Origin-Resource-Policy"))
}
refonte: backend-api go first; phase 1 2025-12-13 02:34:34 +00:00			`package middleware`

			`import (`
			`"net/http"`
			`"net/http/httptest"`
[BE-SEC-011] be-sec: Implement security headers - Enhanced security headers middleware with additional headers - Added X-Permitted-Cross-Domain-Policies: none - Added Cross-Origin-Embedder-Policy: require-corp - Added Cross-Origin-Opener-Policy: same-origin - Added Cross-Origin-Resource-Policy: same-origin - Enhanced Permissions-Policy with additional restrictions - Enhanced CSP with frame-ancestors directive - HSTS now only set in production (not in development) - Updated tests to verify all new headers 2025-12-24 11:24:54 +00:00			`"os"`
refonte: backend-api go first; phase 1 2025-12-13 02:34:34 +00:00			`"testing"`

			`"github.com/gin-gonic/gin"`
			`"github.com/stretchr/testify/assert"`
			`)`

			`// TestSecurityHeaders vérifie que les headers de sécurité sont ajoutés`
[BE-SEC-011] be-sec: Implement security headers - Enhanced security headers middleware with additional headers - Added X-Permitted-Cross-Domain-Policies: none - Added Cross-Origin-Embedder-Policy: require-corp - Added Cross-Origin-Opener-Policy: same-origin - Added Cross-Origin-Resource-Policy: same-origin - Enhanced Permissions-Policy with additional restrictions - Enhanced CSP with frame-ancestors directive - HSTS now only set in production (not in development) - Updated tests to verify all new headers 2025-12-24 11:24:54 +00:00			`// BE-SEC-011: Test pour valider que les headers sécurité sont présents`
refonte: backend-api go first; phase 1 2025-12-13 02:34:34 +00:00			`func TestSecurityHeaders(t *testing.T) {`
			`gin.SetMode(gin.TestMode)`
			`router := gin.New()`
			`router.Use(SecurityHeaders())`
			`router.GET("/test", func(c *gin.Context) {`
			`c.JSON(http.StatusOK, gin.H{"message": "test"})`
			`})`

			`req, _ := http.NewRequest("GET", "/test", nil)`
			`w := httptest.NewRecorder()`
			`router.ServeHTTP(w, req)`

[BE-SEC-011] be-sec: Implement security headers - Enhanced security headers middleware with additional headers - Added X-Permitted-Cross-Domain-Policies: none - Added Cross-Origin-Embedder-Policy: require-corp - Added Cross-Origin-Opener-Policy: same-origin - Added Cross-Origin-Resource-Policy: same-origin - Enhanced Permissions-Policy with additional restrictions - Enhanced CSP with frame-ancestors directive - HSTS now only set in production (not in development) - Updated tests to verify all new headers 2025-12-24 11:24:54 +00:00			`// BE-SEC-011: Vérifier que tous les headers de sécurité sont présents`
			`// HSTS est seulement en production, donc on vérifie conditionnellement`
			`if os.Getenv("APP_ENV") == "production" \|\| os.Getenv("APP_ENV") == "prod" {`
			`assert.Equal(t, "max-age=31536000; includeSubDomains; preload", w.Header().Get("Strict-Transport-Security"))`
			`} else {`
			`// En développement, HSTS ne doit pas être présent`
			`assert.Empty(t, w.Header().Get("Strict-Transport-Security"))`
			`}`

refonte: backend-api go first; phase 1 2025-12-13 02:34:34 +00:00			`assert.Equal(t, "nosniff", w.Header().Get("X-Content-Type-Options"))`
			`assert.Equal(t, "DENY", w.Header().Get("X-Frame-Options"))`
			`assert.Equal(t, "1; mode=block", w.Header().Get("X-XSS-Protection"))`
			`assert.Equal(t, "strict-origin-when-cross-origin", w.Header().Get("Referrer-Policy"))`
[BE-SEC-011] be-sec: Implement security headers - Enhanced security headers middleware with additional headers - Added X-Permitted-Cross-Domain-Policies: none - Added Cross-Origin-Embedder-Policy: require-corp - Added Cross-Origin-Opener-Policy: same-origin - Added Cross-Origin-Resource-Policy: same-origin - Enhanced Permissions-Policy with additional restrictions - Enhanced CSP with frame-ancestors directive - HSTS now only set in production (not in development) - Updated tests to verify all new headers 2025-12-24 11:24:54 +00:00			`assert.Contains(t, w.Header().Get("Permissions-Policy"), "geolocation=()")`
refonte: backend-api go first; phase 1 2025-12-13 02:34:34 +00:00			`assert.Contains(t, w.Header().Get("Content-Security-Policy"), "default-src 'none'")`
[BE-SEC-011] be-sec: Implement security headers - Enhanced security headers middleware with additional headers - Added X-Permitted-Cross-Domain-Policies: none - Added Cross-Origin-Embedder-Policy: require-corp - Added Cross-Origin-Opener-Policy: same-origin - Added Cross-Origin-Resource-Policy: same-origin - Enhanced Permissions-Policy with additional restrictions - Enhanced CSP with frame-ancestors directive - HSTS now only set in production (not in development) - Updated tests to verify all new headers 2025-12-24 11:24:54 +00:00			`assert.Contains(t, w.Header().Get("Content-Security-Policy"), "frame-ancestors 'none'")`
[FE-PAGE-001] fe-page: Complete Dashboard page implementation - Created dashboardService.ts to fetch real stats and activity from API - Created useDashboard hook for managing dashboard data - Updated DashboardPage to use real data instead of hardcoded values - Added loading states and skeletons for better UX - Made quick actions functional with navigation - Added activity timeline with real timestamps - Formatted numbers with K/M suffixes for readability - Added relative time formatting using date-fns 2025-12-24 11:35:38 +00:00
[BE-SEC-011] be-sec: Implement security headers - Enhanced security headers middleware with additional headers - Added X-Permitted-Cross-Domain-Policies: none - Added Cross-Origin-Embedder-Policy: require-corp - Added Cross-Origin-Opener-Policy: same-origin - Added Cross-Origin-Resource-Policy: same-origin - Enhanced Permissions-Policy with additional restrictions - Enhanced CSP with frame-ancestors directive - HSTS now only set in production (not in development) - Updated tests to verify all new headers 2025-12-24 11:24:54 +00:00			`// BE-SEC-011: Nouveaux headers ajoutés`
			`assert.Equal(t, "none", w.Header().Get("X-Permitted-Cross-Domain-Policies"))`
			`assert.Equal(t, "require-corp", w.Header().Get("Cross-Origin-Embedder-Policy"))`
			`assert.Equal(t, "same-origin", w.Header().Get("Cross-Origin-Opener-Policy"))`
			`assert.Equal(t, "same-origin", w.Header().Get("Cross-Origin-Resource-Policy"))`
refonte: backend-api go first; phase 1 2025-12-13 02:34:34 +00:00			`}`