diff options
author | Daniel Schalla <daniel@schalla.me> | 2018-10-16 16:51:46 +0200 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2018-10-16 07:51:46 -0700 |
commit | 557fd9ea187b1279b43ff63b94fedf2320aa3351 (patch) | |
tree | 463fdbd5aefba8f94a61fb1338bf5e7bd123a5f6 /web | |
parent | cedf6488e4d4d66c186facb4253513b1f7e775c6 (diff) | |
download | chat-557fd9ea187b1279b43ff63b94fedf2320aa3351.tar.gz chat-557fd9ea187b1279b43ff63b94fedf2320aa3351.tar.bz2 chat-557fd9ea187b1279b43ff63b94fedf2320aa3351.zip |
Set default ciphers, set tls 1.2 via config, set curve prefs (#9315)
Config Checks at StartUp Part1
Config Checks; Tests for TLS Server
HSTS header implementation + tests
make gofmt happy with new go version...
make gofmt happy with new go version #2...
fix logic bug
fix typo
Fix unnecessary code block
Diffstat (limited to 'web')
-rw-r--r-- | web/handlers.go | 4 | ||||
-rw-r--r-- | web/handlers_test.go | 51 |
2 files changed, 53 insertions, 2 deletions
diff --git a/web/handlers.go b/web/handlers.go index 71a43bc48..9b0705a5b 100644 --- a/web/handlers.go +++ b/web/handlers.go @@ -75,6 +75,10 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId) w.Header().Set(model.HEADER_VERSION_ID, fmt.Sprintf("%v.%v.%v.%v", model.CurrentVersion, model.BuildNumber, c.App.ClientConfigHash(), c.App.License() != nil)) + if *c.App.Config().ServiceSettings.TLSStrictTransport { + w.Header().Set("Strict-Transport-Security", fmt.Sprintf("max-age=%d", *c.App.Config().ServiceSettings.TLSStrictTransportMaxAge)) + } + if h.IsStatic { // Instruct the browser not to display us in an iframe unless is the same origin for anti-clickjacking w.Header().Set("X-Frame-Options", "SAMEORIGIN") diff --git a/web/handlers_test.go b/web/handlers_test.go index 0b9073fff..6b68a9987 100644 --- a/web/handlers_test.go +++ b/web/handlers_test.go @@ -13,7 +13,7 @@ import ( "github.com/stretchr/testify/assert" ) -func handlerForTest(c *Context, w http.ResponseWriter, r *http.Request) { +func handlerForHTTPErrors(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = model.NewAppError("loginWithSaml", "api.user.saml.not_available.app_error", nil, "", http.StatusFound) } @@ -25,7 +25,7 @@ func TestHandlerServeHTTPErrors(t *testing.T) { if err != nil { panic(err) } - handler := web.NewHandler(handlerForTest) + handler := web.NewHandler(handlerForHTTPErrors) var flagtests = []struct { name string @@ -57,3 +57,50 @@ func TestHandlerServeHTTPErrors(t *testing.T) { }) } } + +func handlerForHTTPSecureTransport(c *Context, w http.ResponseWriter, r *http.Request) { +} + +func TestHandlerServeHTTPSecureTransport(t *testing.T) { + a, err := app.New(app.StoreOverride(testStore), app.DisableConfigWatch) + defer a.Shutdown() + + a.UpdateConfig(func(config *model.Config) { + *config.ServiceSettings.TLSStrictTransport = true + *config.ServiceSettings.TLSStrictTransportMaxAge = 6000 + }) + + web := NewWeb(a, a.Srv.Router) + if err != nil { + panic(err) + } + handler := web.NewHandler(handlerForHTTPSecureTransport) + + request := httptest.NewRequest("GET", "/api/v4/test", nil) + + response := httptest.NewRecorder() + handler.ServeHTTP(response, request) + header := response.Header().Get("Strict-Transport-Security") + + if header == "" { + t.Errorf("Strict-Transport-Security expected but not existent") + } + + if header != "max-age=6000" { + t.Errorf("Expected max-age=6000, got %s", header) + } + + a.UpdateConfig(func(config *model.Config) { + *config.ServiceSettings.TLSStrictTransport = false + }) + + request = httptest.NewRequest("GET", "/api/v4/test", nil) + + response = httptest.NewRecorder() + handler.ServeHTTP(response, request) + header = response.Header().Get("Strict-Transport-Security") + + if header != "" { + t.Errorf("Strict-Transport-Security header is not expected, but returned") + } +} |