Harden Headers (#2721)

* Basic security headers * Remove XSS Header (not relevent) * Fix config name * Use Arr::get() * Add tests * Re-fix the StoreConfig step for fresh installs Co-authored-by: luceos <luceos@users.noreply.github.com> Co-authored-by: Alexander Skvortsov <askvortsov1@users.noreply.github.com>
2025-07-31 21:50:50 +02:00 · 2021-05-03 12:42:06 -04:00
parent 9711af42ae
commit 7eea2476ca
7 changed files with 135 additions and 2 deletions
--- a/tests/integration/middleware/ContentTypeOptionsTest.php
+++ b/tests/integration/middleware/ContentTypeOptionsTest.php
@@ -0,0 +1,28 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Tests\integration\middleware;
+
+use Flarum\Testing\integration\TestCase;
+
+class ContentTypeOptionsTest extends TestCase
+{
+    /**
+     * @test
+     */
+    public function has_content_type_options_header()
+    {
+        $response = $this->send(
+            $this->request('GET', '/')
+        );
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertArrayHasKey('X-Content-Type-Options', $response->getHeaders());
+        $this->assertEquals('nosniff', $response->getHeader('X-Content-Type-Options')[0]);
+    }
+}
--- a/tests/integration/middleware/ReferrerPolicyTest.php
+++ b/tests/integration/middleware/ReferrerPolicyTest.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Tests\integration\middleware;
+
+use Flarum\Testing\integration\TestCase;
+
+class ReferrerPolicyTest extends TestCase
+{
+    /**
+     * @test
+     */
+    public function has_referer_header()
+    {
+        $response = $this->send(
+            $this->request('GET', '/')
+        );
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertArrayHasKey('Referrer-Policy', $response->getHeaders());
+    }
+
+    /**
+     * @test
+     */
+    public function has_default_referer_policy()
+    {
+        $response = $this->send(
+            $this->request('GET', '/')
+        );
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertEquals('same-origin', $response->getHeader('Referrer-Policy')[0]);
+    }
+}