bddde37f73
- Enhanced security headers middleware with additional headers - Added X-Permitted-Cross-Domain-Policies: none - Added Cross-Origin-Embedder-Policy: require-corp - Added Cross-Origin-Opener-Policy: same-origin - Added Cross-Origin-Resource-Policy: same-origin - Enhanced Permissions-Policy with additional restrictions - Enhanced CSP with frame-ancestors directive - HSTS now only set in production (not in development) - Updated tests to verify all new headers
49 lines
1.9 KiB
Go
49 lines
1.9 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
// TestSecurityHeaders vérifie que les headers de sécurité sont ajoutés
|
|
// BE-SEC-011: Test pour valider que les headers sécurité sont présents
|
|
func TestSecurityHeaders(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
router.Use(SecurityHeaders())
|
|
router.GET("/test", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"message": "test"})
|
|
})
|
|
|
|
req, _ := http.NewRequest("GET", "/test", nil)
|
|
w := httptest.NewRecorder()
|
|
router.ServeHTTP(w, req)
|
|
|
|
// BE-SEC-011: Vérifier que tous les headers de sécurité sont présents
|
|
// HSTS est seulement en production, donc on vérifie conditionnellement
|
|
if os.Getenv("APP_ENV") == "production" || os.Getenv("APP_ENV") == "prod" {
|
|
assert.Equal(t, "max-age=31536000; includeSubDomains; preload", w.Header().Get("Strict-Transport-Security"))
|
|
} else {
|
|
// En développement, HSTS ne doit pas être présent
|
|
assert.Empty(t, w.Header().Get("Strict-Transport-Security"))
|
|
}
|
|
|
|
assert.Equal(t, "nosniff", w.Header().Get("X-Content-Type-Options"))
|
|
assert.Equal(t, "DENY", w.Header().Get("X-Frame-Options"))
|
|
assert.Equal(t, "1; mode=block", w.Header().Get("X-XSS-Protection"))
|
|
assert.Equal(t, "strict-origin-when-cross-origin", w.Header().Get("Referrer-Policy"))
|
|
assert.Contains(t, w.Header().Get("Permissions-Policy"), "geolocation=()")
|
|
assert.Contains(t, w.Header().Get("Content-Security-Policy"), "default-src 'none'")
|
|
assert.Contains(t, w.Header().Get("Content-Security-Policy"), "frame-ancestors 'none'")
|
|
|
|
// BE-SEC-011: Nouveaux headers ajoutés
|
|
assert.Equal(t, "none", w.Header().Get("X-Permitted-Cross-Domain-Policies"))
|
|
assert.Equal(t, "require-corp", w.Header().Get("Cross-Origin-Embedder-Policy"))
|
|
assert.Equal(t, "same-origin", w.Header().Get("Cross-Origin-Opener-Policy"))
|
|
assert.Equal(t, "same-origin", w.Header().Get("Cross-Origin-Resource-Policy"))
|
|
}
|