5 년 전 · e2cac495da
--- a/test/e2e/spec/api_spec.js
+++ b/test/e2e/spec/api_spec.js
@@ -78,6 +78,20 @@ describe("API v1", function () {
 
				         });
			
 
				     });
			
 
				 
			
 
				+    it("has HSTS header", function () {
			
 
				+        var response = chakram.get('/');
			
 
				+        expect(response).to.have.header('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload');
			
 
				+        return chakram.wait();
			
 
				+    });
			
 
				+
			
 
				+    it("has CORS headers", function () {
			
 
				+        return chakram.options('/', {headers: {'Origin': 'http://foo.example' }}).then(function (response) {
			
 
				+            expect(response).to.have.header('access-control-allow-origin', '*');
			
 
				+            expect(response).to.have.header('access-control-allow-headers', /.*authorization.*/);
			
 
				+            return chakram.wait();
			
 
				+        });
			
 
				+    });
			
 
				+
			
 
				     describe("user registration", function () {
			
 
				 
			
 
				         var captcha;
			
--- a/test/e2e/spec/www_spec.js
+++ b/test/e2e/spec/www_spec.js
@@ -155,6 +155,7 @@ describe("www/nginx", function () {
 
				 
			
 
				         it("has security headers", function () {
			
 
				             var response = chakram.get('https://www/');
			
 
				+            expect(response).to.have.header('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload');
			
 
				             expect(response).to.have.header('Content-Security-Policy', "default-src 'none'; frame-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'none'; block-all-mixed-content; form-action 'none';");
			
 
				             expect(response).to.have.header('X-Frame-Options', 'deny');
			
 
				             expect(response).to.have.header('X-Content-Type-Options', 'nosniff');
			
--- a/www/conf/global.conf
+++ b/www/conf/global.conf
@@ -1,3 +1,5 @@
 
				+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
			
 
				+
			
 
				 location ^~ /.well-known {
			
 
				 	root /var/www/html;
			
 
				 }
			
--- a/www/conf/sites-available/90-desec.conf.var
+++ b/www/conf/sites-available/90-desec.conf.var
@@ -11,7 +11,6 @@ server {
 
				 
			
 
				 	ssl_certificate ${CERT_PATH}desec.${DESECSTACK_DOMAIN}.cer;
			
 
				 	ssl_certificate_key ${CERT_PATH}desec.${DESECSTACK_DOMAIN}.key;
			
 
				-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
			
 
				 
			
 
				 	include global.conf;
			
 
				 
			
--- a/www/conf/sites-available/90-desec.static.location
+++ b/www/conf/sites-available/90-desec.static.location
@@ -2,6 +2,7 @@
 
				 # Static content for the web app
			
 
				 #####
			
 
				 location / {
			
 
				+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
			
 
				     add_header Content-Security-Policy "default-src 'none'; frame-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'none'; block-all-mixed-content; form-action 'none';" always;
			
 
				     add_header X-Frame-Options "deny" always;
			
 
				     add_header X-Content-Type-Options "nosniff" always;