middleware/security.test

// Warning coming out of koa-cors
// https://github.com/whatwg/misc-server/pull/76
// https://github.com/whatwg/misc-server/pull/70

// https://tools.ietf.org/html/rfc6797
// https://www.chromium.org/hsts
// https://hstspreload.org

const
  { test, Server, fetch }
    = require ('snuggsi')
, { serve }
    = (new Server)


console.log ('SNUGGSI', require ('..'))

test `calling next middlewaree`


test `X-XSS-Protection: 1; mode=block`

(async assert => {

  const
    flag = 1
  , mode = 'block'
  , test = [flag, `mode=${mode}`]
  , expect = new RegExp ( test.join `; ` , 'g' )
  , server   = serve ``
  , headers
      = await fetch ('http://localhost:8181/').headers.get


  assert
    (expect.test (headers ('x-xss-protection')))

  server.close ``
})


test `X-Frame-Options: deny`

(async assert => {

  const
    server   = serve ``
  , response = await fetch ('http://localhost:8181/')


  assert
    ('deny' == response.headers.get ('x-frame-options'))

  server.close ()
})


test `X-Content-Type-Options: nosniff`

(async assert => {

  const
    server   = serve ``
  , response = await fetch ('http://localhost:8181/')


  assert
    ('nosniff' == response.headers.get ('x-content-type-options'))

  server.close ()
})


test `Strict-Transport-Security`

(async assert => {

  const
    server   = serve ``
  , response = await fetch ('http://localhost:8181/')

  , age      = 60 * 60 * 24 * 365
  , test     = [`max-age=${age}`, 'includeSubDomains', 'preload']
  , expected = new RegExp ( test.join `; ` , 'g')


  assert
    (expected.test (response.headers.get ('strict-transport-security')))

  server.close ()
})