Files
multica/server/internal/middleware/csp_test.go
LinYushen e20c507dcc fix(security): add Content-Security-Policy response header (#822)
Adds CSP middleware to the global middleware chain as a browser-level
defense against XSS: script-src 'self', object-src 'none',
frame-ancestors 'none', base-uri 'self', form-action 'self'.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 12:53:39 +08:00

37 lines
809 B
Go

package middleware
import (
"net/http"
"net/http/httptest"
"strings"
"testing"
)
func TestContentSecurityPolicy(t *testing.T) {
handler := ContentSecurityPolicy(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
req := httptest.NewRequest(http.MethodGet, "/", nil)
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)
csp := rec.Header().Get("Content-Security-Policy")
if csp == "" {
t.Fatal("Content-Security-Policy header is missing")
}
required := []string{
"script-src 'self'",
"object-src 'none'",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
}
for _, directive := range required {
if !strings.Contains(csp, directive) {
t.Errorf("CSP missing directive %q; got: %s", directive, csp)
}
}
}