ContainerImage.Pinniped/internal/httputil/securityheader/securityheader_test.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package securityheader

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/stretchr/testify/require"
)

func TestWrap(t *testing.T) {
	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, _ = w.Write([]byte("hello world"))
	})
	rec := httptest.NewRecorder()
	Wrap(handler).ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/", nil))
	require.Equal(t, http.StatusOK, rec.Code)
	require.Equal(t, "hello world", rec.Body.String())
	require.EqualValues(t, http.Header{
		"Content-Security-Policy": []string{"default-src 'none'; frame-ancestors 'none'"},
		"Content-Type":            []string{"text/plain; charset=utf-8"},
		"Referrer-Policy":         []string{"no-referrer"},
		"X-Content-Type-Options":  []string{"nosniff"},
		"X-Frame-Options":         []string{"DENY"},
		"X-Xss-Protection":        []string{"1; mode=block"},
		"X-Dns-Prefetch-Control":  []string{"off"},
		"Cache-Control":           []string{"no-cache", "no-store", "max-age=0", "must-revalidate"},
		"Pragma":                  []string{"no-cache"},
		"Expires":                 []string{"0"},
	}, rec.Header())
}