mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
parent
401615847c
commit
bd08d8ce8e
@ -255,14 +255,14 @@ func AddDefaultResponseHeaders() macaron.Handler {
|
||||
// AddSecurityHeaders adds various HTTP(S) response headers that enable various security protections behaviors in the client's browser.
|
||||
func AddSecurityHeaders(w macaron.ResponseWriter) {
|
||||
if setting.Protocol == setting.HTTPS && setting.StrictTransportSecurity {
|
||||
strictHeader := "Strict-Transport-Security"
|
||||
w.Header().Add(strictHeader, fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge))
|
||||
strictHeaderValues := []string{fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge)}
|
||||
if setting.StrictTransportSecurityPreload {
|
||||
w.Header().Add(strictHeader, "preload")
|
||||
strictHeaderValues = append(strictHeaderValues, "preload")
|
||||
}
|
||||
if setting.StrictTransportSecuritySubDomains {
|
||||
w.Header().Add(strictHeader, "includeSubDomains")
|
||||
strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
|
||||
}
|
||||
w.Header().Add("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
|
||||
}
|
||||
|
||||
if setting.ContentTypeProtectionHeader {
|
||||
|
@ -21,6 +21,39 @@ import (
|
||||
"gopkg.in/macaron.v1"
|
||||
)
|
||||
|
||||
func TestMiddleWareSecurityHeaders(t *testing.T) {
|
||||
setting.ERR_TEMPLATE_NAME = "error-template"
|
||||
|
||||
Convey("Given the grafana middleware", t, func() {
|
||||
|
||||
middlewareScenario(t, "middleware should get correct x-xss-protection header", func(sc *scenarioContext) {
|
||||
setting.XSSProtectionHeader = true
|
||||
sc.fakeReq("GET", "/api/").exec()
|
||||
So(sc.resp.Header().Get("X-XSS-Protection"), ShouldEqual, "1; mode=block")
|
||||
})
|
||||
|
||||
middlewareScenario(t, "middleware should not get x-xss-protection when disabled", func(sc *scenarioContext) {
|
||||
setting.XSSProtectionHeader = false
|
||||
sc.fakeReq("GET", "/api/").exec()
|
||||
So(sc.resp.Header().Get("X-XSS-Protection"), ShouldBeEmpty)
|
||||
})
|
||||
|
||||
middlewareScenario(t, "middleware should add correct Strict-Transport-Security header", func(sc *scenarioContext) {
|
||||
setting.StrictTransportSecurity = true
|
||||
setting.Protocol = setting.HTTPS
|
||||
setting.StrictTransportSecurityMaxAge = 64000
|
||||
sc.fakeReq("GET", "/api/").exec()
|
||||
So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000")
|
||||
setting.StrictTransportSecurityPreload = true
|
||||
sc.fakeReq("GET", "/api/").exec()
|
||||
So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000; preload")
|
||||
setting.StrictTransportSecuritySubDomains = true
|
||||
sc.fakeReq("GET", "/api/").exec()
|
||||
So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000; preload; includeSubDomains")
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func TestMiddlewareContext(t *testing.T) {
|
||||
setting.ERR_TEMPLATE_NAME = "error-template"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user