| 84 | } |
| 85 | |
| 86 | func Test_RealWorldValues_AllHeaders(t *testing.T) { |
| 87 | app := fiber.New() |
| 88 | |
| 89 | app.Use(New(Config{ |
| 90 | // Real-world values for all headers |
| 91 | XSSProtection: "0", |
| 92 | ContentTypeNosniff: "nosniff", |
| 93 | XFrameOptions: "SAMEORIGIN", |
| 94 | HSTSExcludeSubdomains: false, |
| 95 | ContentSecurityPolicy: "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests", |
| 96 | CSPReportOnly: false, |
| 97 | HSTSPreloadEnabled: true, |
| 98 | ReferrerPolicy: "no-referrer", |
| 99 | PermissionPolicy: "geolocation=(self)", |
| 100 | CrossOriginEmbedderPolicy: "require-corp", |
| 101 | CrossOriginOpenerPolicy: "same-origin", |
| 102 | CrossOriginResourcePolicy: "same-origin", |
| 103 | OriginAgentCluster: "?1", |
| 104 | XDNSPrefetchControl: "off", |
| 105 | XDownloadOptions: "noopen", |
| 106 | XPermittedCrossDomain: "none", |
| 107 | })) |
| 108 | |
| 109 | app.Get("/", func(c fiber.Ctx) error { |
| 110 | return c.SendString("Hello, World!") |
| 111 | }) |
| 112 | |
| 113 | resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)) |
| 114 | require.NoError(t, err) |
| 115 | // Assertions for real-world header values |
| 116 | require.Equal(t, "0", resp.Header.Get(fiber.HeaderXXSSProtection)) |
| 117 | require.Equal(t, "nosniff", resp.Header.Get(fiber.HeaderXContentTypeOptions)) |
| 118 | require.Equal(t, "SAMEORIGIN", resp.Header.Get(fiber.HeaderXFrameOptions)) |
| 119 | require.Equal(t, "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests", resp.Header.Get(fiber.HeaderContentSecurityPolicy)) |
| 120 | require.Equal(t, "no-referrer", resp.Header.Get(fiber.HeaderReferrerPolicy)) |
| 121 | require.Equal(t, "geolocation=(self)", resp.Header.Get(fiber.HeaderPermissionsPolicy)) |
| 122 | require.Equal(t, "require-corp", resp.Header.Get("Cross-Origin-Embedder-Policy")) |
| 123 | require.Equal(t, "same-origin", resp.Header.Get("Cross-Origin-Opener-Policy")) |
| 124 | require.Equal(t, "same-origin", resp.Header.Get("Cross-Origin-Resource-Policy")) |
| 125 | require.Equal(t, "?1", resp.Header.Get("Origin-Agent-Cluster")) |
| 126 | require.Equal(t, "off", resp.Header.Get("X-DNS-Prefetch-Control")) |
| 127 | require.Equal(t, "noopen", resp.Header.Get("X-Download-Options")) |
| 128 | require.Equal(t, "none", resp.Header.Get("X-Permitted-Cross-Domain-Policies")) |
| 129 | } |
| 130 | |
| 131 | func Test_Next(t *testing.T) { |
| 132 | app := fiber.New() |