test(middleware): CSP config and removed XSS auditor header

2026-05-06 20:13:56 +02:00
parent 61875201f9
commit abaf46e624
1 changed files with 22 additions and 2 deletions
@@ -22,7 +22,6 @@ func TestSecurityHeadersMiddleware(t *testing.T) {
 	expectedHeaders := map[string]string{
 		"X-Content-Type-Options": "nosniff",
 		"X-Frame-Options":        "DENY",
-		"X-XSS-Protection":       "1; mode=block",
 		"Referrer-Policy":        "strict-origin-when-cross-origin",
 		"Server":                 "",
 	}
@@ -176,7 +175,6 @@ func TestSecurityHeadersMiddleware_MultipleRequests(t *testing.T) {
 		requiredHeaders := []string{
 			"X-Content-Type-Options",
 			"X-Frame-Options",
-			"X-XSS-Protection",
 			"Referrer-Policy",
 			"Content-Security-Policy",
 			"Permissions-Policy",
@@ -289,3 +287,25 @@ func TestCSPNonceInContext(t *testing.T) {
 		t.Errorf("CSP header should contain nonce from context. CSP: %s, Nonce: %s", csp, capturedNonce)
 	}
 }
+
+func TestSecurityHeadersMiddleware_SwaggerStrictWhenRelaxedDisabled(t *testing.T) {
+	handler := SecurityHeadersMiddlewareWithConfig(SecurityHeadersConfig{RelaxSwaggerCSP: false})(
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+
+	req := httptest.NewRequest("GET", "/swagger/index.html", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	csp := rec.Header().Get("Content-Security-Policy")
+	if csp == "" {
+		t.Fatal("expected CSP")
+	}
+	if strings.Contains(csp, "'unsafe-eval'") || strings.Contains(csp, "'unsafe-inline'") {
+		t.Fatalf("unexpected relaxed CSP for swagger path: %s", csp)
+	}
+	if !strings.Contains(csp, "nonce-") {
+		t.Fatalf("expected nonce CSP for swagger path, got %s", csp)
+	}
+}