Set basic HTTP security headers on status pages served from backend

We should already escape everything printed on these pages, but as part of a defense in depth strategy we use a restrictive set of HTTP security headers to minimize the impact in the case of a regression or bug.
author: Tor Brede Vekterli <vekterli@verizonmedia.com> 2019-08-13 14:23:45 +0000
committer: Tor Brede Vekterli <vekterli@verizonmedia.com> 2019-08-13 15:27:57 +0000
commit: d0e2b5082708cdf5044509dc242cfadc6ee68461 (patch)
tree: 0744565a97de7b7ec9746e1caa285b08f77de320 /storage
parent: e15d87688f4da812e93500598fa653164b47b9bd (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/storage/src/tests/frameworkimpl/status/statustest.cpp b/storage/src/tests/frameworkimpl/status/statustest.cpp
index e7d0d496cc8..81d91e2f08a 100644
--- a/storage/src/tests/frameworkimpl/status/statustest.cpp
+++ b/storage/src/tests/frameworkimpl/status/statustest.cpp
@@ -115,6 +115,12 @@ TEST_F(StatusTest, index_status_page) {
             "Connection: close\r\n"
             "Content-Type: text\\/html\r\n"
             "Content-Length: [0-9]+\r\n"
+            "X-XSS-Protection: 1; mode=block\r\n"
+            "X-Frame-Options: DENY\r\n"
+            "Content-Security-Policy: default-src 'none'\r\n"
+            "X-Content-Type-Options: nosniff\r\n"
+            "Cache-Control: no-store\r\n"
+            "Pragma: no-cache\r\n"
             "\r\n"
             "<html>\n"
             "<head>\n"
@@ -144,6 +150,12 @@ TEST_F(StatusTest, html_status) {
             "Connection: close\r\n"
             "Content-Type: text/html\r\n"
             "Content-Length: 117\r\n"
+            "X-XSS-Protection: 1; mode=block\r\n"
+            "X-Frame-Options: DENY\r\n"
+            "Content-Security-Policy: default-src 'none'\r\n"
+            "X-Content-Type-Options: nosniff\r\n"
+            "Cache-Control: no-store\r\n"
+            "Pragma: no-cache\r\n"
             "\r\n"
             "<html>\n"
             "<head>\n"
@@ -170,6 +182,12 @@ TEST_F(StatusTest, xml_sStatus) {
             "Connection: close\r\n"
             "Content-Type: application/xml\r\n"
             "Content-Length: 100\r\n"
+            "X-XSS-Protection: 1; mode=block\r\n"
+            "X-Frame-Options: DENY\r\n"
+            "Content-Security-Policy: default-src 'none'\r\n"
+            "X-Content-Type-Options: nosniff\r\n"
+            "Cache-Control: no-store\r\n"
+            "Pragma: no-cache\r\n"
             "\r\n"
             "<?xml version=\"1.0\"?>\n"
             "<status id=\"fooid\" name=\"Foo impl\">\n"
author	Tor Brede Vekterli <vekterli@verizonmedia.com>	2019-08-13 14:23:45 +0000
committer	Tor Brede Vekterli <vekterli@verizonmedia.com>	2019-08-13 15:27:57 +0000
commit	d0e2b5082708cdf5044509dc242cfadc6ee68461 (patch)
tree	0744565a97de7b7ec9746e1caa285b08f77de320 /storage
parent	e15d87688f4da812e93500598fa653164b47b9bd (diff)