func secureMiddleware(c *Config) negroni.Handler { csp := fmt.Sprintf("default-src *; script-src 'self' %s https://www.google-analytics.com 'unsafe-inline'; style-src 'self' %s 'unsafe-inline'; object-src 'self' %s;", c.AssetHost, c.AssetHost, c.AssetHost) secureMiddleware := secure.New(secure.Options{ SSLRedirect: true, STSSeconds: 315360000, SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"}, STSIncludeSubdomains: true, FrameDeny: true, ContentTypeNosniff: true, BrowserXssFilter: true, ContentSecurityPolicy: csp, IsDevelopment: !c.IsProduction(), }) return negroni.HandlerFunc(secureMiddleware.HandlerFuncWithNext) }
func TestIntegrationWithError(t *testing.T) { mux := http.NewServeMux() mux.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "bar") }) secureMiddleware := New(Options{ ContentTypeNosniff: true, FrameDeny: true, AllowedHosts: []string{"www.example.com", "sub.example.com"}, }) n := negroni.New() n.Use(negroni.HandlerFunc(secureMiddleware.HandlerFuncWithNext)) n.UseHandler(mux) res := httptest.NewRecorder() req, _ := http.NewRequest("GET", "/foo", nil) req.Host = "www3.example.com" n.ServeHTTP(res, req) expect(t, res.Code, http.StatusInternalServerError) }
func TestIntegration(t *testing.T) { mux := http.NewServeMux() mux.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "bar") }) secureMiddleware := New(Options{ ContentTypeNosniff: true, FrameDeny: true, }) n := negroni.New() n.Use(negroni.HandlerFunc(secureMiddleware.HandlerFuncWithNext)) n.UseHandler(mux) res := httptest.NewRecorder() req, _ := http.NewRequest("GET", "http://example.com/foo", nil) n.ServeHTTP(res, req) expect(t, res.Code, http.StatusOK) expect(t, res.Body.String(), "bar") expect(t, res.Header().Get("X-Frame-Options"), "DENY") expect(t, res.Header().Get("X-Content-Type-Options"), "nosniff") }