forked from freeCodeCamp/freeCodeCamp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.test.ts
86 lines (79 loc) · 2.97 KB
/
server.test.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
import { setupServer, superRequest } from '../jest.utils';
import { HOME_LOCATION } from './utils/env';
jest.mock('./utils/env', () => {
// eslint-disable-next-line @typescript-eslint/no-unsafe-return
return {
...jest.requireActual('./utils/env'),
COOKIE_DOMAIN: 'freecodecamp.org'
};
});
describe('server', () => {
setupServer();
describe('GET /', () => {
test('should have OWASP recommended headers', async () => {
const res = await superRequest('/', { method: 'GET' });
expect(res.headers).toMatchObject({
'cache-control': 'no-store',
'content-security-policy': "frame-ancestors 'none'",
'content-type': 'application/json; charset=utf-8',
'x-content-type-options': 'nosniff',
'x-frame-options': 'DENY'
// In production we also set strict-transport-security, but in order to
// test this we would need to mock FREECODECAMP_NODE_ENV to production.
// This is possible, but has side effects (like using the normal
// database instead of the test ones). On balance it's not worth it.
});
});
test.each([
'https://www.freecodecamp.org',
'https://www.freecodecamp.dev',
'https://beta.freecodecamp.org',
'https://beta.freecodecamp.dev',
'https://chinese.freecodecamp.org',
'https://chinese.freecodecamp.dev'
])(
'should have Access-Control-Allow-Origin header for %s',
async origin => {
const res = await superRequest('/', { method: 'GET' }).set(
'origin',
origin
);
expect(res.headers).toMatchObject({
'access-control-allow-origin': origin
});
}
);
test('should have HOME_LOCATION Access-Control-Allow-Origin header for other origins', async () => {
const res = await superRequest('/', { method: 'GET' }).set(
'origin',
'https://www.google.com'
);
expect(res.headers).toMatchObject({
'access-control-allow-origin': HOME_LOCATION
});
});
test('should have CORS headers', async () => {
const res = await superRequest('/', { method: 'GET' });
expect(res.headers).toMatchObject({
'access-control-allow-headers':
'Origin, X-Requested-With, Content-Type, Accept, Csrf-Token, Coderoad-User-Token, Exam-Environment-Authorization-Token',
'access-control-allow-credentials': 'true',
'access-control-allow-methods': 'GET, PUT, POST, DELETE'
});
});
});
describe('GET /documentation', () => {
test('should have OWASP recommended headers, except content-type', async () => {
const res = await superRequest('/documentation/static/index.html', {
method: 'GET'
});
expect(res.headers).toMatchObject({
'cache-control': 'no-store',
'content-security-policy': "frame-ancestors 'none'",
'content-type': 'text/html; charset=utf-8',
'x-content-type-options': 'nosniff',
'x-frame-options': 'DENY'
});
});
});
});