diff options
author | Tor Brede Vekterli <vekterli@verizonmedia.com> | 2019-08-13 14:23:45 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@verizonmedia.com> | 2019-08-13 15:27:57 +0000 |
commit | d0e2b5082708cdf5044509dc242cfadc6ee68461 (patch) | |
tree | 0744565a97de7b7ec9746e1caa285b08f77de320 /staging_vespalib | |
parent | e15d87688f4da812e93500598fa653164b47b9bd (diff) |
Set basic HTTP security headers on status pages served from backend
We should already escape everything printed on these pages, but as part
of a defense in depth strategy we use a restrictive set of HTTP security
headers to minimize the impact in the case of a regression or bug.
Diffstat (limited to 'staging_vespalib')
-rw-r--r-- | staging_vespalib/src/tests/state_server/state_server_test.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/staging_vespalib/src/tests/state_server/state_server_test.cpp b/staging_vespalib/src/tests/state_server/state_server_test.cpp index 6c7397a1719..e61d3d216cd 100644 --- a/staging_vespalib/src/tests/state_server/state_server_test.cpp +++ b/staging_vespalib/src/tests/state_server/state_server_test.cpp @@ -87,6 +87,12 @@ TEST_FF("require that non-empty known url returns expected headers", DummyHandle "Connection: close\r\n" "Content-Type: application/json\r\n" "Content-Length: 5\r\n" + "X-XSS-Protection: 1; mode=block\r\n" + "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: default-src 'none'\r\n" + "X-Content-Type-Options: nosniff\r\n" + "Cache-Control: no-store\r\n" + "Pragma: no-cache\r\n" "\r\n" "[123]"); std::string actual = getFull(f2.port(), my_path); |