mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-06 05:49:12 +02:00
Adds CSP middleware to the global middleware chain as a browser-level defense against XSS: script-src 'self', object-src 'none', frame-ancestors 'none', base-uri 'self', form-action 'self'. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
37 lines
809 B
Go
37 lines
809 B
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestContentSecurityPolicy(t *testing.T) {
|
|
handler := ContentSecurityPolicy(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
rec := httptest.NewRecorder()
|
|
handler.ServeHTTP(rec, req)
|
|
|
|
csp := rec.Header().Get("Content-Security-Policy")
|
|
if csp == "" {
|
|
t.Fatal("Content-Security-Policy header is missing")
|
|
}
|
|
|
|
required := []string{
|
|
"script-src 'self'",
|
|
"object-src 'none'",
|
|
"frame-ancestors 'none'",
|
|
"base-uri 'self'",
|
|
"form-action 'self'",
|
|
}
|
|
for _, directive := range required {
|
|
if !strings.Contains(csp, directive) {
|
|
t.Errorf("CSP missing directive %q; got: %s", directive, csp)
|
|
}
|
|
}
|
|
}
|