Uwe Schuster
0d2312499e
Aligns the default CSP, X-Frame-Options, HSTS and Permissions-Policy with
docs/security-baseline.md:
- script-src/style-src drop 'unsafe-inline' and the unpkg.com allowance
- img-src narrows from 'self' data: https: → 'self' data:
- connect-src narrows from 'self' wss: ws: → 'self'
- frame-ancestors flips from 'self' → 'none'
- X-Frame-Options flips from SAMEORIGIN → DENY
- HSTS keeps max-age=63072000 but drops includeSubDomains by default
(apex-clobbering hazard noted in audit #1)
- Permissions-Policy header added with the baseline sensor allowlist
Adds a CspOverride struct + ctor so consumers that genuinely need a
relaxation (Swagger UI subtree, cross-origin connect, …) can flip
individual directives without forking the interceptor. Empty fields
inherit the strict baseline.
Bumps to 0.3.6 (alongside owner's pending #4 + #5 + #6 work).
Closes #3
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
19 lines
883 B
CMake
19 lines
883 B
CMake
# Minimal test harness for oatpp-authkit.
|
|
#
|
|
# Adds plain executable tests linked against the INTERFACE library and oatpp.
|
|
# No third-party test framework — assertions use <cassert> and a tiny REQUIRE
|
|
# macro so the suite stays portable and dependency-free.
|
|
|
|
find_package(oatpp REQUIRED)
|
|
|
|
add_executable(test_negotiation test_negotiation.cpp)
|
|
target_link_libraries(test_negotiation PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME negotiation COMMAND test_negotiation)
|
|
|
|
add_executable(test_body_size_limit test_body_size_limit.cpp)
|
|
target_link_libraries(test_body_size_limit PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME body_size_limit COMMAND test_body_size_limit)
|
|
|
|
add_executable(test_security_headers test_security_headers.cpp)
|
|
target_link_libraries(test_security_headers PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME security_headers COMMAND test_security_headers)
|