uwe.admin/oatpp-authkit
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
oatpp-authkit/test/test_security_headers.cpp
Uwe Schuster 0d2312499e #3: SecurityHeadersInterceptor — strict baseline + CspOverride ctor (Option B) 
Aligns the default CSP, X-Frame-Options, HSTS and Permissions-Policy with
docs/security-baseline.md:
  - script-src/style-src drop 'unsafe-inline' and the unpkg.com allowance
  - img-src narrows from 'self' data: https: → 'self' data:
  - connect-src narrows from 'self' wss: ws: → 'self'
  - frame-ancestors flips from 'self' → 'none'
  - X-Frame-Options flips from SAMEORIGIN → DENY
  - HSTS keeps max-age=63072000 but drops includeSubDomains by default
    (apex-clobbering hazard noted in audit #1)
  - Permissions-Policy header added with the baseline sensor allowlist

Adds a CspOverride struct + ctor so consumers that genuinely need a
relaxation (Swagger UI subtree, cross-origin connect, …) can flip
individual directives without forking the interceptor. Empty fields
inherit the strict baseline.

Bumps to 0.3.6 (alongside owner's pending #4 + #5 + #6 work).

Closes #3

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 21:54:58 +02:00

41 lines
1.5 KiB
C++
Raw Permalink Blame History

// Smoke test for SecurityHeadersInterceptor — confirms the header compiles
// in a consumer translation unit and the constructor surface matches the
// documented API. Behavioural tests against a real IncomingRequest /
// OutgoingResponse pair would need a full oatpp request fixture; pinning
// the API surface here is enough to catch the kinds of breakage this
// header is at risk of (struct field renames, accidental ctor changes).
#include "oatpp-authkit/interceptor/SecurityHeadersInterceptor.hpp"
#include <cstdio>
#include <memory>
int main() {
using oatpp_authkit::CspOverride;
using oatpp_authkit::SecurityHeadersInterceptor;
// Default ctor: strict baseline.
auto strict = std::make_shared<SecurityHeadersInterceptor>();
(void)strict;
// Override ctor: every documented field reachable.
CspOverride o;
o.defaultSrc = "'self'";
o.scriptSrc = "'self' 'unsafe-inline'";
o.styleSrc = "'self' 'unsafe-inline'";
o.imgSrc = "'self' data: https:";
o.connectSrc = "'self' wss:";
o.fontSrc = "'self'";
o.frameAncestors = "'self'";
o.baseUri = "'self'";
o.formAction = "'self'";
o.sendHsts = false;
o.hstsIncludeSubdomains = true;
o.xFrameOptions = "SAMEORIGIN";
o.permissionsPolicy = "geolocation=(self)";
auto relaxed = std::make_shared<SecurityHeadersInterceptor>(std::move(o));
(void)relaxed;
std::printf("SecurityHeadersInterceptor API ok\n");
return 0;
}
Reference in a new issue View git blame Copy permalink