public async Task Invoke_XFrameOptionsHeaderName_HeaderIsNotPresent()
{
// arrange
var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.False(headerNotPresentConfig.UseXFrameOptions);
Assert.False(_context.Response.Headers.ContainsKey(Constants.XFrameOptionsHeaderName));
}
public async Task Invoke_XPoweredByHeader_RemoveHeader()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().RemovePoweredByHeader().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.RemoveXPoweredByHeader);
Assert.False(_context.Response.Headers.ContainsKey(Constants.PoweredByHeaderName));
}
public async Task Invoke_ReferrerPolicyHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseReferrerPolicy().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseReferrerPolicy);
Assert.True(_context.Response.Headers.ContainsKey(Constants.ReferrerPolicyHeaderName));
Assert.Equal("no-referrer", _context.Response.Headers[Constants.ReferrerPolicyHeaderName]);
}
public async Task Invoke_XssProtectionHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseXSSProtection().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseXssProtection);
Assert.True(_context.Response.Headers.ContainsKey(Constants.XssProtectionHeaderName));
Assert.Equal("1; mode=block", _context.Response.Headers[Constants.XssProtectionHeaderName]);
}
public async Task Invoke_XContentTypeOptionsHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentTypeOptions().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseXContentTypeOptions);
Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentTypeOptionsHeaderName));
Assert.Equal("nosniff", _context.Response.Headers[Constants.XContentTypeOptionsHeaderName]);
}
public async Task invoke_NullConfig_ExceptionThrown()
{
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, null);
var exception = await Record.ExceptionAsync(() => secureHeadersMiddleware.Invoke(_context));
Assert.NotNull(exception);
Assert.IsAssignableFrom <ArgumentException>(exception);
var argEx = exception as ArgumentException;
Assert.NotNull(argEx);
Assert.Contains(nameof(SecureHeadersMiddlewareConfiguration), exception.Message);
}
public async Task Invoke_StrictTransportSecurityHeaderName_HeaderIsNotPresent()
{
// arrange
var headerNotPresetConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresetConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (!headerNotPresetConfig.UseHsts)
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName));
}
}
public async Task Invoke_XContentSecurityPolicyHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicy(useXContentSecurityPolicy: true).Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseXContentSecurityPolicy);
Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentSecurityPolicyHeaderName));
Assert.Equal("block-all-mixed-content; upgrade-insecure-requests;",
_context.Response.Headers[Constants.XContentSecurityPolicyHeaderName]);
}
public async Task Invoke_PermittedCrossDomainPoliciesHeaderName_HeaderIsNotPresent()
{
// arrange
var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (!headerNotPresentConfig.UsePermittedCrossDomainPolicy)
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.PermittedCrossDomainPoliciesHeaderName));
}
}
public async Task Invoke_StrictTransportSecurityHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseHsts().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseHsts);
Assert.True(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName));
Assert.Equal("max-age=63072000; includeSubDomains",
_context.Response.Headers[Constants.StrictTransportSecurityHeaderName]);
}
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent_WithMultipleCspSandboxTypes()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicy().Build();
headerPresentConfig.SetCspSandBox(CspSandboxType.allowForms, CspSandboxType.allowScripts, CspSandboxType.allowSameOrigin);
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName));
Assert.Equal("sandbox allow-forms allow-scripts allow-same-origin; block-all-mixed-content; upgrade-insecure-requests;",
_context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]);
}
public async Task Invoke_CacheControl_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseCacheControl().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseCacheControl);
Assert.True(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName));
Assert.Equal(headerPresentConfig.CacheControl.BuildHeaderValue(),
_context.Response.Headers[Constants.CacheControlHeaderName]);
}
public async Task Invoke_XPoweredByHeader_DoNotRemoveHeader()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.False(headerPresentConfig.RemoveXPoweredByHeader);
// Am currently running the 2.1.300 Preview 1 build of the SDK
// and the server doesn't seem to add this header.
// Therefore this assert is commented out, as it will always fail
//Assert.True(_context.Response.Headers.ContainsKey(Constants.PoweredByHeaderName));
}
public async Task Invoke_PermittedCrossDomainPoliciesHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig =
SecureHeadersMiddlewareBuilder.CreateBuilder().UsePermittedCrossDomainPolicies().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UsePermittedCrossDomainPolicy);
Assert.True(_context.Response.Headers.ContainsKey(Constants.PermittedCrossDomainPoliciesHeaderName));
Assert.Equal("none;",
_context.Response.Headers[Constants.PermittedCrossDomainPoliciesHeaderName]);
}
public async Task Invoke_ExpectCtHeaderName_HeaderIsNotPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseExpectCt("https://test.com/report").Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (!headerPresentConfig.UseExpectCt)
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.ExpectCtHeaderName));
}
}
public async Task Invoke_ExpectCtHeaderName_HeaderIsPresent_ReportUri_Optional()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseExpectCt(string.Empty).Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseExpectCt);
Assert.True(_context.Response.Headers.ContainsKey(Constants.ExpectCtHeaderName));
Assert.Equal(headerPresentConfig.ExpectCt.BuildHeaderValue(),
_context.Response.Headers[Constants.ExpectCtHeaderName]);
}
public async Task Invoke_ContentSecurityPolicyReportOnly_HeaderIsPresent_WithMultipleCspSandboxTypes()
{
const string reportUri = "https://localhost:5001/report-uri";
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicyReportOnly(reportUri).Build();
headerPresentConfig.SetCspSandBox(CspSandboxType.allowForms, CspSandboxType.allowScripts, CspSandboxType.allowSameOrigin);
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyReportOnlyHeaderName));
Assert.Equal($"block-all-mixed-content;upgrade-insecure-requests;report-uri {reportUri};",
_context.Response.Headers[Constants.ContentSecurityPolicyReportOnlyHeaderName]);
}
public async Task Invoke_ReferrerPolicyHeaderName_HeaderIsPresent()
{
// arrange
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (_middlewareConfig.UseReferrerPolicy)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.ReferrerPolicyHeaderName));
Assert.Equal("no-referrer;", _context.Response.Headers[Constants.ReferrerPolicyHeaderName]);
}
else
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.ReferrerPolicyHeaderName));
}
}
public async Task Invoke_XContentTypeOptionsHeaderName_HeaderIsPresent()
{
// arrange
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (_middlewareConfig.UseXContentTypeOptions)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentTypeOptionsHeaderName));
Assert.Equal("nosniff", _context.Response.Headers[Constants.XContentTypeOptionsHeaderName]);
}
else
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.XContentTypeOptionsHeaderName));
}
}
public async Task Invoke_XssProtectionHeaderName_HeaderIsPresent()
{
// arrange
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (_middlewareConfig.UseXssProtection)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.XssProtectionHeaderName));
Assert.Equal("1; mode=block", _context.Response.Headers[Constants.XssProtectionHeaderName]);
}
else
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.XssProtectionHeaderName));
}
}
public async Task Invoke_PublicKeyPinsHeaderName_HeaderIsPresent()
{
// arrange
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (_middlewareConfig.UseHpkp)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.PublicKeyPinsHeaderName));
Assert.Equal("report-url=\"http://example.com/pkp-report\";max-age=10000; includeSubDomains",
_context.Response.Headers[Constants.PublicKeyPinsHeaderName]);
}
else
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.PublicKeyPinsHeaderName));
}
}
public async Task Invoke_CacheControl_NoStore_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseCacheControl(noStore: true).Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseCacheControl);
Assert.True(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName));
_context.Response.Headers.TryGetValue(Constants.CacheControlHeaderName, out var headerValues);
Assert.True(headerValues.Any());
Assert.Contains("no-store", headerValues.First());
Assert.DoesNotContain("private", headerValues.First());
Assert.DoesNotContain("must-revalidate", headerValues.First());
}
public async Task Invoke_StrictTransportSecurityHeaderName_HeaderIsPresent()
{
// arrange
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (_middlewareConfig.UseHsts)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName));
Assert.Equal("max-age=31536000; includeSubDomains",
_context.Response.Headers[Constants.StrictTransportSecurityHeaderName]);
}
else
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName));
}
}
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent()
{
// arrange
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (_middlewareConfig.UseContentSecurityPolicy)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName));
Assert.Equal("block-all-mixed-content; upgrade-insecure-requests; report-uri https://dotnetcore.gaprogman.com;",
_context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]);
}
else
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName));
}
}
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentDefaultSecurityPolicy().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (headerPresentConfig.UseContentSecurityPolicy)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName));
Assert.Equal("script-src 'self';object-src 'self';block-all-mixed-content; upgrade-insecure-requests;",
_context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]);
}
else
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName));
}
}
