fix(www): fix static location HSTS header, improve header tests

test/e2e/spec/api_spec.js

@@ -78,6 +78,20 @@ describe("API v1", function () {
         });
     });
 
+    it("has HSTS header", function () {
+        var response = chakram.get('/');
+        expect(response).to.have.header('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload');
+        return chakram.wait();
+    });
+
+    it("has CORS headers", function () {
+        return chakram.options('/', {headers: {'Origin': 'http://foo.example' }}).then(function (response) {
+            expect(response).to.have.header('access-control-allow-origin', '*');
+            expect(response).to.have.header('access-control-allow-headers', /.*authorization.*/);
+            return chakram.wait();
+        });
+    });
+
     describe("user registration", function () {
 
         var captcha;

test/e2e/spec/www_spec.js

@@ -155,6 +155,7 @@ describe("www/nginx", function () {
 
         it("has security headers", function () {
             var response = chakram.get('https://www/');
+            expect(response).to.have.header('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload');
             expect(response).to.have.header('Content-Security-Policy', "default-src 'none'; frame-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'none'; block-all-mixed-content; form-action 'none';");
             expect(response).to.have.header('X-Frame-Options', 'deny');
             expect(response).to.have.header('X-Content-Type-Options', 'nosniff');

www/conf/global.conf

@@ -1,3 +1,5 @@
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+
 location ^~ /.well-known {
 	root /var/www/html;
 }

www/conf/sites-available/90-desec.conf.var

@@ -11,7 +11,6 @@ server {
 
 	ssl_certificate ${CERT_PATH}desec.${DESECSTACK_DOMAIN}.cer;
 	ssl_certificate_key ${CERT_PATH}desec.${DESECSTACK_DOMAIN}.key;
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
 
 	include global.conf;
 

www/conf/sites-available/90-desec.static.location

@@ -2,6 +2,7 @@
 # Static content for the web app
 #####
 location / {
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
     add_header Content-Security-Policy "default-src 'none'; frame-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'none'; block-all-mixed-content; form-action 'none';" always;
     add_header X-Frame-Options "deny" always;
     add_header X-Content-Type-Options "nosniff" always;