From d0e2b5082708cdf5044509dc242cfadc6ee68461 Mon Sep 17 00:00:00 2001
From: Tor Brede Vekterli <vekterli@verizonmedia.com>
Date: Tue, 13 Aug 2019 14:23:45 +0000
Subject: Set basic HTTP security headers on status pages served from backend

We should already escape everything printed on these pages, but as part
of a defense in depth strategy we use a restrictive set of HTTP security
headers to minimize the impact in the case of a regression or bug.
---
 staging_vespalib/src/tests/state_server/state_server_test.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'staging_vespalib/src')

diff --git a/staging_vespalib/src/tests/state_server/state_server_test.cpp b/staging_vespalib/src/tests/state_server/state_server_test.cpp
index 6c7397a1719..e61d3d216cd 100644
--- a/staging_vespalib/src/tests/state_server/state_server_test.cpp
+++ b/staging_vespalib/src/tests/state_server/state_server_test.cpp
@@ -87,6 +87,12 @@ TEST_FF("require that non-empty known url returns expected headers", DummyHandle
                             "Connection: close\r\n"
                             "Content-Type: application/json\r\n"
                             "Content-Length: 5\r\n"
+                            "X-XSS-Protection: 1; mode=block\r\n"
+                            "X-Frame-Options: DENY\r\n"
+                            "Content-Security-Policy: default-src 'none'\r\n"
+                            "X-Content-Type-Options: nosniff\r\n"
+                            "Cache-Control: no-store\r\n"
+                            "Pragma: no-cache\r\n"
                             "\r\n"
                             "[123]");
     std::string actual = getFull(f2.port(), my_path);
-- 
cgit v1.2.3