public async Task Invoke_XFrameOptionsHeaderName_HeaderIsNotPresent() { // arrange var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.False(headerNotPresentConfig.UseXFrameOptions); Assert.False(_context.Response.Headers.ContainsKey(Constants.XFrameOptionsHeaderName)); }
public async Task Invoke_XPoweredByHeader_RemoveHeader() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().RemovePoweredByHeader().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.RemoveXPoweredByHeader); Assert.False(_context.Response.Headers.ContainsKey(Constants.PoweredByHeaderName)); }
public async Task Invoke_ReferrerPolicyHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseReferrerPolicy().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseReferrerPolicy); Assert.True(_context.Response.Headers.ContainsKey(Constants.ReferrerPolicyHeaderName)); Assert.Equal("no-referrer", _context.Response.Headers[Constants.ReferrerPolicyHeaderName]); }
public async Task Invoke_XssProtectionHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseXSSProtection().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseXssProtection); Assert.True(_context.Response.Headers.ContainsKey(Constants.XssProtectionHeaderName)); Assert.Equal("1; mode=block", _context.Response.Headers[Constants.XssProtectionHeaderName]); }
public async Task Invoke_XContentTypeOptionsHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentTypeOptions().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseXContentTypeOptions); Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentTypeOptionsHeaderName)); Assert.Equal("nosniff", _context.Response.Headers[Constants.XContentTypeOptionsHeaderName]); }
public async Task invoke_NullConfig_ExceptionThrown() { var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, null); var exception = await Record.ExceptionAsync(() => secureHeadersMiddleware.Invoke(_context)); Assert.NotNull(exception); Assert.IsAssignableFrom <ArgumentException>(exception); var argEx = exception as ArgumentException; Assert.NotNull(argEx); Assert.Contains(nameof(SecureHeadersMiddlewareConfiguration), exception.Message); }
public async Task Invoke_StrictTransportSecurityHeaderName_HeaderIsNotPresent() { // arrange var headerNotPresetConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresetConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (!headerNotPresetConfig.UseHsts) { Assert.False(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName)); } }
public async Task Invoke_XContentSecurityPolicyHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicy(useXContentSecurityPolicy: true).Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseXContentSecurityPolicy); Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentSecurityPolicyHeaderName)); Assert.Equal("block-all-mixed-content; upgrade-insecure-requests;", _context.Response.Headers[Constants.XContentSecurityPolicyHeaderName]); }
public async Task Invoke_PermittedCrossDomainPoliciesHeaderName_HeaderIsNotPresent() { // arrange var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (!headerNotPresentConfig.UsePermittedCrossDomainPolicy) { Assert.False(_context.Response.Headers.ContainsKey(Constants.PermittedCrossDomainPoliciesHeaderName)); } }
public async Task Invoke_StrictTransportSecurityHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseHsts().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseHsts); Assert.True(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName)); Assert.Equal("max-age=63072000; includeSubDomains", _context.Response.Headers[Constants.StrictTransportSecurityHeaderName]); }
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent_WithMultipleCspSandboxTypes() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicy().Build(); headerPresentConfig.SetCspSandBox(CspSandboxType.allowForms, CspSandboxType.allowScripts, CspSandboxType.allowSameOrigin); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName)); Assert.Equal("sandbox allow-forms allow-scripts allow-same-origin; block-all-mixed-content; upgrade-insecure-requests;", _context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]); }
public async Task Invoke_CacheControl_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseCacheControl().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseCacheControl); Assert.True(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName)); Assert.Equal(headerPresentConfig.CacheControl.BuildHeaderValue(), _context.Response.Headers[Constants.CacheControlHeaderName]); }
public async Task Invoke_XPoweredByHeader_DoNotRemoveHeader() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.False(headerPresentConfig.RemoveXPoweredByHeader); // Am currently running the 2.1.300 Preview 1 build of the SDK // and the server doesn't seem to add this header. // Therefore this assert is commented out, as it will always fail //Assert.True(_context.Response.Headers.ContainsKey(Constants.PoweredByHeaderName)); }
public async Task Invoke_PermittedCrossDomainPoliciesHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UsePermittedCrossDomainPolicies().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UsePermittedCrossDomainPolicy); Assert.True(_context.Response.Headers.ContainsKey(Constants.PermittedCrossDomainPoliciesHeaderName)); Assert.Equal("none;", _context.Response.Headers[Constants.PermittedCrossDomainPoliciesHeaderName]); }
public async Task Invoke_ExpectCtHeaderName_HeaderIsNotPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseExpectCt("https://test.com/report").Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (!headerPresentConfig.UseExpectCt) { Assert.False(_context.Response.Headers.ContainsKey(Constants.ExpectCtHeaderName)); } }
public async Task Invoke_ExpectCtHeaderName_HeaderIsPresent_ReportUri_Optional() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseExpectCt(string.Empty).Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseExpectCt); Assert.True(_context.Response.Headers.ContainsKey(Constants.ExpectCtHeaderName)); Assert.Equal(headerPresentConfig.ExpectCt.BuildHeaderValue(), _context.Response.Headers[Constants.ExpectCtHeaderName]); }
public async Task Invoke_ContentSecurityPolicyReportOnly_HeaderIsPresent_WithMultipleCspSandboxTypes() { const string reportUri = "https://localhost:5001/report-uri"; // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicyReportOnly(reportUri).Build(); headerPresentConfig.SetCspSandBox(CspSandboxType.allowForms, CspSandboxType.allowScripts, CspSandboxType.allowSameOrigin); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyReportOnlyHeaderName)); Assert.Equal($"block-all-mixed-content;upgrade-insecure-requests;report-uri {reportUri};", _context.Response.Headers[Constants.ContentSecurityPolicyReportOnlyHeaderName]); }
public async Task Invoke_ReferrerPolicyHeaderName_HeaderIsPresent() { // arrange var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (_middlewareConfig.UseReferrerPolicy) { Assert.True(_context.Response.Headers.ContainsKey(Constants.ReferrerPolicyHeaderName)); Assert.Equal("no-referrer;", _context.Response.Headers[Constants.ReferrerPolicyHeaderName]); } else { Assert.False(_context.Response.Headers.ContainsKey(Constants.ReferrerPolicyHeaderName)); } }
public async Task Invoke_XContentTypeOptionsHeaderName_HeaderIsPresent() { // arrange var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (_middlewareConfig.UseXContentTypeOptions) { Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentTypeOptionsHeaderName)); Assert.Equal("nosniff", _context.Response.Headers[Constants.XContentTypeOptionsHeaderName]); } else { Assert.False(_context.Response.Headers.ContainsKey(Constants.XContentTypeOptionsHeaderName)); } }
public async Task Invoke_XssProtectionHeaderName_HeaderIsPresent() { // arrange var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (_middlewareConfig.UseXssProtection) { Assert.True(_context.Response.Headers.ContainsKey(Constants.XssProtectionHeaderName)); Assert.Equal("1; mode=block", _context.Response.Headers[Constants.XssProtectionHeaderName]); } else { Assert.False(_context.Response.Headers.ContainsKey(Constants.XssProtectionHeaderName)); } }
public async Task Invoke_PublicKeyPinsHeaderName_HeaderIsPresent() { // arrange var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (_middlewareConfig.UseHpkp) { Assert.True(_context.Response.Headers.ContainsKey(Constants.PublicKeyPinsHeaderName)); Assert.Equal("report-url=\"http://example.com/pkp-report\";max-age=10000; includeSubDomains", _context.Response.Headers[Constants.PublicKeyPinsHeaderName]); } else { Assert.False(_context.Response.Headers.ContainsKey(Constants.PublicKeyPinsHeaderName)); } }
public async Task Invoke_CacheControl_NoStore_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseCacheControl(noStore: true).Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseCacheControl); Assert.True(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName)); _context.Response.Headers.TryGetValue(Constants.CacheControlHeaderName, out var headerValues); Assert.True(headerValues.Any()); Assert.Contains("no-store", headerValues.First()); Assert.DoesNotContain("private", headerValues.First()); Assert.DoesNotContain("must-revalidate", headerValues.First()); }
public async Task Invoke_StrictTransportSecurityHeaderName_HeaderIsPresent() { // arrange var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (_middlewareConfig.UseHsts) { Assert.True(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName)); Assert.Equal("max-age=31536000; includeSubDomains", _context.Response.Headers[Constants.StrictTransportSecurityHeaderName]); } else { Assert.False(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName)); } }
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent() { // arrange var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, _middlewareConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (_middlewareConfig.UseContentSecurityPolicy) { Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName)); Assert.Equal("block-all-mixed-content; upgrade-insecure-requests; report-uri https://dotnetcore.gaprogman.com;", _context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]); } else { Assert.False(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName)); } }
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentDefaultSecurityPolicy().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (headerPresentConfig.UseContentSecurityPolicy) { Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName)); Assert.Equal("script-src 'self';object-src 'self';block-all-mixed-content; upgrade-insecure-requests;", _context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]); } else { Assert.False(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName)); } }