molecule-ai/molecule-core
35
0
Fork 2
Code Issues 22 Pull Requests 4 Actions 50 Packages Projects Releases Wiki Activity
0aec76400a
molecule-core/platform/internal/middleware/securityheaders_test.go
Hongming Wang cb37aa850c fix(security): add Referrer-Policy + Permissions-Policy headers (#282) 
Closes #282. CLAUDE.md documented the SecurityHeaders() middleware as
setting 6 headers (X-Content-Type-Options, X-Frame-Options, Referrer-
Policy, Content-Security-Policy, Permissions-Policy, HSTS) but the
implementation only set 4 — Referrer-Policy and Permissions-Policy
were silently missing.

Adds:
- Referrer-Policy: strict-origin-when-cross-origin — prevents
  browsers from leaking full paths/queries in Referer on cross-
  origin navigation. Particularly relevant for canvas embeds of
  Langfuse trace URLs that may contain trace IDs.
- Permissions-Policy: camera=(), microphone=(), geolocation=() —
  denies sensor access by default. Iframes the canvas embeds
  (Langfuse trace viewer etc.) can no longer request these
  without an explicit delegation.

Regression tests added to securityheaders_test.go — both headers
are now in the same table-driven assertion loop as the other 4,
so a future edit that drops them again fails CI loudly.

LOW severity — this is defense-in-depth, not a direct exploit path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 16:52:19 -07:00

103 lines
2.9 KiB
Go
Raw Blame History

package middleware
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/gin-gonic/gin"
)
func init() {
gin.SetMode(gin.TestMode)
}
func TestSecurityHeaders(t *testing.T) {
r := gin.New()
r.Use(SecurityHeaders())
r.GET("/test", func(c *gin.Context) {
c.String(http.StatusOK, "ok")
})
w := httptest.NewRecorder()
req, _ := http.NewRequest(http.MethodGet, "/test", nil)
r.ServeHTTP(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected status 200, got %d", w.Code)
}
tests := []struct {
header string
want string
}{
{"X-Content-Type-Options", "nosniff"},
{"X-Frame-Options", "DENY"},
{"Content-Security-Policy", "default-src 'self'"},
{"Strict-Transport-Security", "max-age=31536000; includeSubDomains"},
// #282: regression guards for the two headers that were
// documented in CLAUDE.md but missing from the implementation.
{"Referrer-Policy", "strict-origin-when-cross-origin"},
{"Permissions-Policy", "camera=(), microphone=(), geolocation=()"},
}
for _, tt := range tests {
got := w.Header().Get(tt.header)
if got != tt.want {
t.Errorf("header %s = %q, want %q", tt.header, got, tt.want)
}
}
}
func TestSecurityHeadersPresenceOnMultipleRoutes(t *testing.T) {
r := gin.New()
r.Use(SecurityHeaders())
r.GET("/a", func(c *gin.Context) { c.String(http.StatusOK, "a") })
r.POST("/b", func(c *gin.Context) { c.String(http.StatusCreated, "b") })
// GET /a
w1 := httptest.NewRecorder()
req1, _ := http.NewRequest(http.MethodGet, "/a", nil)
r.ServeHTTP(w1, req1)
if v := w1.Header().Get("X-Frame-Options"); v != "DENY" {
t.Errorf("GET /a: X-Frame-Options = %q, want DENY", v)
}
// POST /b
w2 := httptest.NewRecorder()
req2, _ := http.NewRequest(http.MethodPost, "/b", nil)
r.ServeHTTP(w2, req2)
if v := w2.Header().Get("X-Content-Type-Options"); v != "nosniff" {
t.Errorf("POST /b: X-Content-Type-Options = %q, want nosniff", v)
}
if v := w2.Header().Get("Strict-Transport-Security"); v != "max-age=31536000; includeSubDomains" {
t.Errorf("POST /b: Strict-Transport-Security = %q, want max-age=31536000; includeSubDomains", v)
}
if v := w2.Header().Get("Content-Security-Policy"); v != "default-src 'self'" {
t.Errorf("POST /b: Content-Security-Policy = %q, want default-src 'self'", v)
}
}
func TestSecurityHeadersDoNotOverrideExisting(t *testing.T) {
r := gin.New()
r.Use(SecurityHeaders())
r.GET("/custom", func(c *gin.Context) {
// Handler sets its own X-Frame-Options — SecurityHeaders runs before
// the handler, so the handler's value will take precedence.
c.Header("X-Frame-Options", "SAMEORIGIN")
c.String(http.StatusOK, "custom")
})
w := httptest.NewRecorder()
req, _ := http.NewRequest(http.MethodGet, "/custom", nil)
r.ServeHTTP(w, req)
// The handler's value should be present (may override middleware's)
got := w.Header().Get("X-Frame-Options")
if got != "SAMEORIGIN" {
t.Errorf("expected handler override SAMEORIGIN, got %q", got)
}
}
Reference in New Issue View Git Blame Copy Permalink