diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-12-16 08:35:23 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2023-12-16 08:39:57 +0100 |
| commit | 1c82e661e04e0979e09e487a58a801ffa9f438e8 (patch) | |
| tree | e77b8eb4aee6b40a156472417b52f2a620284094 | |
| parent | 24f449cc099703df95646c719e9d3f308ed1a3f0 (diff) | |
| download | vyos-1x-1c82e661e04e0979e09e487a58a801ffa9f438e8.tar.gz vyos-1x-1c82e661e04e0979e09e487a58a801ffa9f438e8.zip | |
ocserv: T5796: add smoketest for new "http-security-headers" feature
| -rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 2 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_openconnect.py | 21 |
2 files changed, 22 insertions, 1 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 713ca7fd4..b5e890c32 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -126,7 +126,7 @@ select-group = {{ grp }} included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains included-http-headers = X-Frame-Options: deny included-http-headers = X-Content-Type-Options: nosniff -included-http-headers = Content-Security-Policy: default-src 'none' +included-http-headers = Content-Security-Policy: default-src "none" included-http-headers = X-Permitted-Cross-Domain-Policies: none included-http-headers = Referrer-Policy: no-referrer included-http-headers = Clear-Site-Data: "cache","cookies","storage" diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index 04abeb1aa..c4502fada 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -141,5 +141,26 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): otp_config = read_file(otp_file) self.assertIn(f'HOTP/T30/6 {user} - {otp}', otp_config) + + # Verify HTTP security headers + self.cli_set(base_path + ['http-security-headers']) + self.cli_commit() + + daemon_config = read_file(config_file) + + self.assertIn('included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains', daemon_config) + self.assertIn('included-http-headers = X-Frame-Options: deny', daemon_config) + self.assertIn('included-http-headers = X-Content-Type-Options: nosniff', daemon_config) + self.assertIn('included-http-headers = Content-Security-Policy: default-src "none"', daemon_config) + self.assertIn('included-http-headers = X-Permitted-Cross-Domain-Policies: none', daemon_config) + self.assertIn('included-http-headers = Referrer-Policy: no-referrer', daemon_config) + self.assertIn('included-http-headers = Clear-Site-Data: "cache","cookies","storage"', daemon_config) + self.assertIn('included-http-headers = Cross-Origin-Embedder-Policy: require-corp', daemon_config) + self.assertIn('included-http-headers = Cross-Origin-Opener-Policy: same-origin', daemon_config) + self.assertIn('included-http-headers = Cross-Origin-Resource-Policy: same-origin', daemon_config) + self.assertIn('included-http-headers = X-XSS-Protection: 0', daemon_config) + self.assertIn('included-http-headers = Pragma: no-cache', daemon_config) + self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config) + if __name__ == '__main__': unittest.main(verbosity=2) |