UNPKG

headgear

Version:

Sets various security related headers

github.com/belsrc/headgear

belsrc/headgear

133 lines (115 loc) 3.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
var supertest = require('supertest'); var express = require('express'); var app = express(); var http = require('http').Server(app); var headgear = require('../lib/headgear'); http.listen(8000); app.use(headgear.noSniff()); app.use(headgear.removePoweredBy()); app.use(headgear.frameOption('deny')); app.use(headgear.downloadOption()); app.use(headgear.transportSecurity(20000, true)); app.use(headgear.xssProtect()); app.use(headgear.noCache()); app.use(headgear.contentSecurity({ connectSrc: ['self', 'https:'], scriptSrc: ['self', 'https:'], styleSrc: ['self', 'https:'], reflectedXss: 'block', reportUri: 'http://test.com', upgradeInsecureRequests: true, report: true })); app.use(headgear.keyPinning( ['cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=', 'M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE='], 5184000, true, 'google.com' )); app.get('/', function(request, response){ response.send('This is a test'); }); var agent = supertest.agent(app); suite('Headgear', function() { suite('#removePoweredBy', function() { test('removes header value', function(done) { agent .get('/') .end(function(error, response) { if(error) { done(error); } else { if(response.header['x-powered-by']) { done(new Error('x-powered-by is ' + response.header['x-powered-by'])); } else { done(); } } }); }); }); suite('#noSniff', function() { test('has no sniff header value', function(done) { agent .get('/') .expect('x-content-type-options', 'nosniff', done); }); }); suite('#frameOption', function() { test('has deny header value', function(done) { agent .get('/') .expect('frame-options', 'deny', done); }); }); suite('#downloadOption', function() { test('has no open header', function(done) { agent .get('/') .expect('x-download-options', 'noopen', done); }); }); suite('#transportSecurity', function() { test('has sec transport header with subdomains', function(done) { agent .get('/') .expect('strict-transport-security', 'max-age=20000; includeSubDomains;', done); }); }); suite('#xssProtect', function() { test('has xss protect header', function(done) { agent .get('/') .expect('x-xss-protection', '1; mode=block;', done); }); }); suite('#noCache', function() { test('has no cache header', function(done) { agent .get('/') .expect('cache-control', 'no-cache', done); }); }); suite('#contentSecurity', function() { test('has content security header value', function(done) { var expected = 'connect-src \'self\' https:; script-src \'self\' https:; ' + 'style-src \'self\' https:; reflected-xss block; report-uri http://test.com; ' + 'upgrade-insecure-requests 1; '; agent .get('/') .expect('content-security-policy-report-only', expected, done); }); }); suite('#keyPinning', function() { test('has key pins header value', function(done) { var expected = 'pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; ' + 'pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; ' + 'max-age=5184000; includeSubdomains; report-uri="google.com"; '; agent .get('/') .expect('public-key-pins-report-only', expected, done); }); }); });