Merge pull request #2644 from c-po/ocserv-T5796

ocserv: T5796: add CLI knob "http-security-headers"
author: Viacheslav Hletenko <v.gletenko@vyos.io> 2023-12-16 14:25:55 +0200
committer: GitHub <noreply@github.com> 2023-12-16 14:25:55 +0200
commit: e8282aa4f7e675d1189864799940c9a1b097601c (patch)
tree: e77b8eb4aee6b40a156472417b52f2a620284094 /smoketest/scripts/cli/test_vpn_openconnect.py
parent: 357123273c808ddec77b097d47231e3301ee5731 (diff)
parent: 1c82e661e04e0979e09e487a58a801ffa9f438e8 (diff)
download: vyos-1x-e8282aa4f7e675d1189864799940c9a1b097601c.tar.gz
vyos-1x-e8282aa4f7e675d1189864799940c9a1b097601c.zip
1 files changed, 21 insertions, 0 deletions
diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index 04abeb1aa..c4502fada 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -141,5 +141,26 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
         otp_config = read_file(otp_file)
         self.assertIn(f'HOTP/T30/6 {user} - {otp}', otp_config)
 
+
+        # Verify HTTP security headers
+        self.cli_set(base_path + ['http-security-headers'])
+        self.cli_commit()
+
+        daemon_config = read_file(config_file)
+
+        self.assertIn('included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains', daemon_config)
+        self.assertIn('included-http-headers = X-Frame-Options: deny', daemon_config)
+        self.assertIn('included-http-headers = X-Content-Type-Options: nosniff', daemon_config)
+        self.assertIn('included-http-headers = Content-Security-Policy: default-src "none"', daemon_config)
+        self.assertIn('included-http-headers = X-Permitted-Cross-Domain-Policies: none', daemon_config)
+        self.assertIn('included-http-headers = Referrer-Policy: no-referrer', daemon_config)
+        self.assertIn('included-http-headers = Clear-Site-Data: "cache","cookies","storage"', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Embedder-Policy: require-corp', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Opener-Policy: same-origin', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Resource-Policy: same-origin', daemon_config)
+        self.assertIn('included-http-headers = X-XSS-Protection: 0', daemon_config)
+        self.assertIn('included-http-headers = Pragma: no-cache', daemon_config)
+        self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
author	Viacheslav Hletenko <v.gletenko@vyos.io>	2023-12-16 14:25:55 +0200
committer	GitHub <noreply@github.com>	2023-12-16 14:25:55 +0200
commit	e8282aa4f7e675d1189864799940c9a1b097601c (patch)
tree	e77b8eb4aee6b40a156472417b52f2a620284094 /smoketest/scripts/cli/test_vpn_openconnect.py
parent	357123273c808ddec77b097d47231e3301ee5731 (diff)
parent	1c82e661e04e0979e09e487a58a801ffa9f438e8 (diff)
download	vyos-1x-e8282aa4f7e675d1189864799940c9a1b097601c.tar.gz vyos-1x-e8282aa4f7e675d1189864799940c9a1b097601c.zip