1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
|
from django.http import HttpResponse
from django.test import RequestFactory, SimpleTestCase
from django.test.utils import override_settings
class SecurityMiddlewareTest(SimpleTestCase):
def middleware(self, *args, **kwargs):
from django.middleware.security import SecurityMiddleware
return SecurityMiddleware(self.response(*args, **kwargs))
@property
def secure_request_kwargs(self):
return {"wsgi.url_scheme": "https"}
def response(self, *args, headers=None, **kwargs):
def get_response(req):
response = HttpResponse(*args, **kwargs)
if headers:
for k, v in headers.items():
response.headers[k] = v
return response
return get_response
def process_response(self, *args, secure=False, request=None, **kwargs):
request_kwargs = {}
if secure:
request_kwargs.update(self.secure_request_kwargs)
if request is None:
request = self.request.get("/some/url", **request_kwargs)
ret = self.middleware(*args, **kwargs).process_request(request)
if ret:
return ret
return self.middleware(*args, **kwargs)(request)
request = RequestFactory()
def process_request(self, method, *args, secure=False, **kwargs):
if secure:
kwargs.update(self.secure_request_kwargs)
req = getattr(self.request, method.lower())(*args, **kwargs)
return self.middleware().process_request(req)
@override_settings(SECURE_HSTS_SECONDS=3600)
def test_sts_on(self):
"""
With SECURE_HSTS_SECONDS=3600, the middleware adds
"Strict-Transport-Security: max-age=3600" to the response.
"""
self.assertEqual(
self.process_response(secure=True).headers['Strict-Transport-Security'],
'max-age=3600',
)
@override_settings(SECURE_HSTS_SECONDS=3600)
def test_sts_already_present(self):
"""
The middleware will not override a "Strict-Transport-Security" header
already present in the response.
"""
response = self.process_response(
secure=True,
headers={"Strict-Transport-Security": "max-age=7200"})
self.assertEqual(response.headers["Strict-Transport-Security"], "max-age=7200")
@override_settings(SECURE_HSTS_SECONDS=3600)
def test_sts_only_if_secure(self):
"""
The "Strict-Transport-Security" header is not added to responses going
over an insecure connection.
"""
self.assertNotIn(
'Strict-Transport-Security',
self.process_response(secure=False).headers,
)
@override_settings(SECURE_HSTS_SECONDS=0)
def test_sts_off(self):
"""
With SECURE_HSTS_SECONDS=0, the middleware does not add a
"Strict-Transport-Security" header to the response.
"""
self.assertNotIn(
'Strict-Transport-Security',
self.process_response(secure=True).headers,
)
@override_settings(SECURE_HSTS_SECONDS=600, SECURE_HSTS_INCLUDE_SUBDOMAINS=True)
def test_sts_include_subdomains(self):
"""
With SECURE_HSTS_SECONDS non-zero and SECURE_HSTS_INCLUDE_SUBDOMAINS
True, the middleware adds a "Strict-Transport-Security" header with the
"includeSubDomains" directive to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(
response.headers['Strict-Transport-Security'],
'max-age=600; includeSubDomains',
)
@override_settings(SECURE_HSTS_SECONDS=600, SECURE_HSTS_INCLUDE_SUBDOMAINS=False)
def test_sts_no_include_subdomains(self):
"""
With SECURE_HSTS_SECONDS non-zero and SECURE_HSTS_INCLUDE_SUBDOMAINS
False, the middleware adds a "Strict-Transport-Security" header without
the "includeSubDomains" directive to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(response.headers["Strict-Transport-Security"], "max-age=600")
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_PRELOAD=True)
def test_sts_preload(self):
"""
With SECURE_HSTS_SECONDS non-zero and SECURE_HSTS_PRELOAD True, the
middleware adds a "Strict-Transport-Security" header with the "preload"
directive to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(
response.headers['Strict-Transport-Security'],
'max-age=10886400; preload',
)
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_INCLUDE_SUBDOMAINS=True, SECURE_HSTS_PRELOAD=True)
def test_sts_subdomains_and_preload(self):
"""
With SECURE_HSTS_SECONDS non-zero, SECURE_HSTS_INCLUDE_SUBDOMAINS and
SECURE_HSTS_PRELOAD True, the middleware adds a "Strict-Transport-Security"
header containing both the "includeSubDomains" and "preload" directives
to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(
response.headers['Strict-Transport-Security'],
'max-age=10886400; includeSubDomains; preload',
)
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_PRELOAD=False)
def test_sts_no_preload(self):
"""
With SECURE_HSTS_SECONDS non-zero and SECURE_HSTS_PRELOAD
False, the middleware adds a "Strict-Transport-Security" header without
the "preload" directive to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(
response.headers['Strict-Transport-Security'],
'max-age=10886400',
)
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=True)
def test_content_type_on(self):
"""
With SECURE_CONTENT_TYPE_NOSNIFF set to True, the middleware adds
"X-Content-Type-Options: nosniff" header to the response.
"""
self.assertEqual(
self.process_response().headers['X-Content-Type-Options'],
'nosniff',
)
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=True)
def test_content_type_already_present(self):
"""
The middleware will not override an "X-Content-Type-Options" header
already present in the response.
"""
response = self.process_response(secure=True, headers={"X-Content-Type-Options": "foo"})
self.assertEqual(response.headers["X-Content-Type-Options"], "foo")
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=False)
def test_content_type_off(self):
"""
With SECURE_CONTENT_TYPE_NOSNIFF False, the middleware does not add an
"X-Content-Type-Options" header to the response.
"""
self.assertNotIn('X-Content-Type-Options', self.process_response().headers)
@override_settings(SECURE_BROWSER_XSS_FILTER=True)
def test_xss_filter_on(self):
"""
With SECURE_BROWSER_XSS_FILTER set to True, the middleware adds
"s-xss-protection: 1; mode=block" header to the response.
"""
self.assertEqual(
self.process_response().headers['X-XSS-Protection'],
'1; mode=block',
)
@override_settings(SECURE_BROWSER_XSS_FILTER=True)
def test_xss_filter_already_present(self):
"""
The middleware will not override an "X-XSS-Protection" header
already present in the response.
"""
response = self.process_response(secure=True, headers={"X-XSS-Protection": "foo"})
self.assertEqual(response.headers["X-XSS-Protection"], "foo")
@override_settings(SECURE_BROWSER_XSS_FILTER=False)
def test_xss_filter_off(self):
"""
With SECURE_BROWSER_XSS_FILTER set to False, the middleware does not
add an "X-XSS-Protection" header to the response.
"""
self.assertNotIn('X-XSS-Protection', self.process_response().headers)
@override_settings(SECURE_SSL_REDIRECT=True)
def test_ssl_redirect_on(self):
"""
With SECURE_SSL_REDIRECT True, the middleware redirects any non-secure
requests to the https:// version of the same URL.
"""
ret = self.process_request("get", "/some/url?query=string")
self.assertEqual(ret.status_code, 301)
self.assertEqual(ret["Location"], "https://testserver/some/url?query=string")
@override_settings(SECURE_SSL_REDIRECT=True)
def test_no_redirect_ssl(self):
"""
The middleware does not redirect secure requests.
"""
ret = self.process_request("get", "/some/url", secure=True)
self.assertIsNone(ret)
@override_settings(SECURE_SSL_REDIRECT=True, SECURE_REDIRECT_EXEMPT=["^insecure/"])
def test_redirect_exempt(self):
"""
The middleware does not redirect requests with URL path matching an
exempt pattern.
"""
ret = self.process_request("get", "/insecure/page")
self.assertIsNone(ret)
@override_settings(SECURE_SSL_REDIRECT=True, SECURE_SSL_HOST="secure.example.com")
def test_redirect_ssl_host(self):
"""
The middleware redirects to SECURE_SSL_HOST if given.
"""
ret = self.process_request("get", "/some/url")
self.assertEqual(ret.status_code, 301)
self.assertEqual(ret["Location"], "https://secure.example.com/some/url")
@override_settings(SECURE_SSL_REDIRECT=False)
def test_ssl_redirect_off(self):
"""
With SECURE_SSL_REDIRECT False, the middleware does not redirect.
"""
ret = self.process_request("get", "/some/url")
self.assertIsNone(ret)
@override_settings(SECURE_REFERRER_POLICY=None)
def test_referrer_policy_off(self):
"""
With SECURE_REFERRER_POLICY set to None, the middleware does not add a
"Referrer-Policy" header to the response.
"""
self.assertNotIn('Referrer-Policy', self.process_response().headers)
def test_referrer_policy_on(self):
"""
With SECURE_REFERRER_POLICY set to a valid value, the middleware adds a
"Referrer-Policy" header to the response.
"""
tests = (
('strict-origin', 'strict-origin'),
('strict-origin,origin', 'strict-origin,origin'),
('strict-origin, origin', 'strict-origin,origin'),
(['strict-origin', 'origin'], 'strict-origin,origin'),
(('strict-origin', 'origin'), 'strict-origin,origin'),
)
for value, expected in tests:
with self.subTest(value=value), override_settings(SECURE_REFERRER_POLICY=value):
self.assertEqual(
self.process_response().headers['Referrer-Policy'],
expected,
)
@override_settings(SECURE_REFERRER_POLICY='strict-origin')
def test_referrer_policy_already_present(self):
"""
The middleware will not override a "Referrer-Policy" header already
present in the response.
"""
response = self.process_response(headers={'Referrer-Policy': 'unsafe-url'})
self.assertEqual(response.headers['Referrer-Policy'], 'unsafe-url')
|
