public async Task XFrameOptionsHeaderMiddleware_EmitsXFrameOptionsHeaderWithSameOriginValue()
{
// Arrange
var server = PersonalSiteTestServer.Create(app =>
{
app.UseXFrameOptionsHeader(XFrameOption.SameOrigin);
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.True(response.Headers.Contains(XFrameOptionsHeaderMiddleware.XFrameOptionsHeaderName));
Assert.Equal("SAMEORIGIN", response.Headers.GetValues(XFrameOptionsHeaderMiddleware.XFrameOptionsHeaderName).First());
}
public async Task XFrameOptionsHeaderMiddleware_EmitsXFrameOptionsHeaderWithAllowFromValue()
{
// Arrange
var server = PersonalSiteTestServer.Create(app =>
{
app.UseXFrameOptionsHeader(XFrameOption.CreateAllowFrom(new Uri("http://localhost/")));
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.True(response.Headers.Contains(XFrameOptionsHeaderMiddleware.XFrameOptionsHeaderName));
Assert.Equal("ALLOW-FROM http://localhost/", response.Headers.GetValues(XFrameOptionsHeaderMiddleware.XFrameOptionsHeaderName).First());
}
public async Task CanonicalDomainMiddleware_RedirectToHttps()
{
// Arrange
var server = PersonalSiteTestServer.Create(app =>
{
app.UseCanonicalDomain(requireHttps: true);
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.Equal(HttpStatusCode.MovedPermanently, response.StatusCode);
Assert.Equal("https", response.Headers.Location.Scheme);
}
public async Task XContentTypeOptionsHeaderMiddleware_EmitsXFrameOptionsHeaderWithNosniffValue()
{
// Arrange
var server = PersonalSiteTestServer.Create(app =>
{
app.UseXContentTypeOptionsHeader();
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.True(response.Headers.Contains(XContentTypeOptionsHeaderMiddleware.XContentTypeOptionsHeaderName));
Assert.Equal("nosniff", response.Headers.GetValues(XContentTypeOptionsHeaderMiddleware.XContentTypeOptionsHeaderName).First());
}
public async Task ReferrerPolicyHeaderMiddleware_EmitsReferrerPolicyOptionValue(ReferrerPolicy policy, string value)
{
// Arrane
var server = PersonalSiteTestServer.Create(app =>
{
app.UseReferrerPolicyHeader(policy);
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.True(response.Headers.Contains(ReferrerPolicyHeaderMiddleware.ReferrerPolicyHeaderName));
Assert.Equal(value, response.Headers.GetValues(ReferrerPolicyHeaderMiddleware.ReferrerPolicyHeaderName).First());
}
public async Task StrictTransportSecurityHeaderMiddleware_DoesntEmitStrictTransportSecurityHeaderForHttpRequests()
{
// Arrange
var maxAge = TimeSpan.FromDays(1);
var server = PersonalSiteTestServer.Create(app =>
{
app.UseStrictTransportSecurityHeader(maxAge);
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.False(response.Headers.Contains(StrictTransportSecurityHeaderMiddleware.StrictTransportSecurityHeaderName));
}
public async Task CanonicalDomainMiddleware_RedirectsToCanonicalDomain()
{
// Arrange
var canonicalDomain = "other.com";
var server = PersonalSiteTestServer.Create(app =>
{
app.UseCanonicalDomain(domain: canonicalDomain);
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.Equal(HttpStatusCode.MovedPermanently, response.StatusCode);
Assert.Equal(response.Headers.Location.Host, canonicalDomain);
}
public async Task XXSSProtectionHeaderMiddleware_EmitsXXSSProtectionHeaderDisabled()
{
// Arrange
var server = PersonalSiteTestServer.Create(app =>
{
app.UseXXSSProtectionHeader(enabled: false);
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.True(response.Headers.Contains(XXSSProtectionHeaderMiddleware.XXSSProtectionHeaderName));
Assert.StartsWith("0", response.Headers.GetValues(XXSSProtectionHeaderMiddleware.XXSSProtectionHeaderName).First());
Assert.DoesNotContain("mode", response.Headers.GetValues(XXSSProtectionHeaderMiddleware.XXSSProtectionHeaderName).First());
}
public async Task XXSSProtectionHeaderMiddleware_EmitsXXSSProtectionHeaderWithBlockMode()
{
// Arrange
var server = PersonalSiteTestServer.Create(app =>
{
app.UseXXSSProtectionHeader(enabled: true, mode: XXSSProtectionMode.Block);
});
// Act
var response = await server.CreateRequest("http://server/").GetAsync();
// Assert
Assert.True(response.Headers.Contains(XXSSProtectionHeaderMiddleware.XXSSProtectionHeaderName));
Assert.StartsWith("1", response.Headers.GetValues(XXSSProtectionHeaderMiddleware.XXSSProtectionHeaderName).First());
Assert.EndsWith("mode=block", response.Headers.GetValues(XXSSProtectionHeaderMiddleware.XXSSProtectionHeaderName).First());
}
public async Task StrictTransportSecurityHeaderMiddleware_EmitsStrictTransportSecurityHeaderWithPreloadValue()
{
// Arrange
var maxAge = TimeSpan.FromDays(1);
var server = PersonalSiteTestServer.Create(app =>
{
app.UseStrictTransportSecurityHeader(maxAge, preload: true);
});
// Act
var response = await server.CreateRequest("https://server/").GetAsync();
// Assert
Assert.True(response.Headers.Contains(StrictTransportSecurityHeaderMiddleware.StrictTransportSecurityHeaderName));
Assert.EndsWith("preload", response.Headers.GetValues(StrictTransportSecurityHeaderMiddleware.StrictTransportSecurityHeaderName).First());
}
public async Task CanonicalDomainMiddleware_RedirectKeepsPathAndQueryIntact()
{
// Arrange
var canonicalDomain = "other.com";
var pathAndQuery = "path?query=value";
var server = PersonalSiteTestServer.Create(app =>
{
app.UseCanonicalDomain(domain: canonicalDomain);
});
// Act
var response = await server.CreateRequest($"http://wrong.com/{pathAndQuery}").GetAsync();
// Assert
Assert.Equal(HttpStatusCode.MovedPermanently, response.StatusCode);
Assert.Equal(canonicalDomain, response.Headers.Location.Host);
Assert.Equal(pathAndQuery, response.Headers.Location.PathAndQuery.TrimStart('/'));
}