public void ShouldAddSecureHeaders() { var securityHeaders = new SecurityHeadersAttribute(); var resultExecutingContext = new ResultExecutingContext( new ActionContext { HttpContext = new DefaultHttpContext(), RouteData = new RouteData(), ActionDescriptor = new ActionDescriptor(), }, new Mock <IList <IFilterMetadata> >().Object, new ViewResult(), new object()); resultExecutingContext.HttpContext = new DefaultHttpContext(); securityHeaders.OnResultExecuting(resultExecutingContext); var responseHeaders = resultExecutingContext.HttpContext.Response.Headers; responseHeaders.Should().Contain("X-Content-Type-Options", "nosniff"); responseHeaders.Should().Contain("X-Frame-Options", "SAMEORIGIN"); responseHeaders.Should().Contain("Content-Security-Policy", "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';"); responseHeaders.Should().Contain("X-Content-Security-Policy", "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';"); responseHeaders.Should().Contain("Referrer-Policy", "no-referrer"); }
public SecurityHeadersAttributeTest() { _httpContext = new DefaultHttpContext(); _actionContext = new ActionContext(_httpContext, new RouteData(), new ActionDescriptor()); var localLoginInteractor = new Mock <ILocalLoginInteractor>(); var applicationUrlsOptionsMock = new Mock <IOptions <ApplicationUrlsAppSettings> >(); _localLoginController = new LocalLoginController(localLoginInteractor.Object, applicationUrlsOptionsMock.Object); _securityHeadersAttribute = new SecurityHeadersAttribute(); }
public void OnResultExecuting_Should_Add_Headers() { var context = new ResultExecutingContext(_actionContext, Enumerable.Empty <IFilterMetadata>().ToList(), new ViewResult(), new { }); var headersAttribute = new SecurityHeadersAttribute(); headersAttribute.OnResultExecuting(context); context.HttpContext.Response.Headers.Should().ContainKey("X-Content-Type-Options"); context.HttpContext.Response.Headers.Should().ContainKey("X-Frame-Options"); context.HttpContext.Response.Headers.Should().ContainKey("Content-Security-Policy"); context.HttpContext.Response.Headers.Should().ContainKey("X-Content-Security-Policy"); }