aboutsummaryrefslogtreecommitdiffstats
path: root/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
diff options
context:
space:
mode:
Diffstat (limited to 'apps/settings/tests/SetupChecks/SecurityHeadersTest.php')
-rw-r--r--apps/settings/tests/SetupChecks/SecurityHeadersTest.php15
1 files changed, 3 insertions, 12 deletions
diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
index e7d87775485..1f75907d427 100644
--- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
+++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
@@ -84,7 +84,7 @@ class SecurityHeadersTest extends TestCase {
$result = $this->setupcheck->run();
$this->assertEquals(
- "Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
+ "Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
$result->getDescription()
);
$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
@@ -94,7 +94,6 @@ class SecurityHeadersTest extends TestCase {
return [
// description => modifiedHeaders
'basic' => [[]],
- 'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']],
'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']],
'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']],
@@ -107,13 +106,10 @@ class SecurityHeadersTest extends TestCase {
];
}
- /**
- * @dataProvider dataSuccess
- */
+ #[\PHPUnit\Framework\Attributes\DataProvider('dataSuccess')]
public function testSuccess(array $headers): void {
$headers = array_merge(
[
- 'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff',
'X-Robots-Tag' => 'noindex, nofollow',
'X-Frame-Options' => 'SAMEORIGIN',
@@ -140,8 +136,6 @@ class SecurityHeadersTest extends TestCase {
return [
// description => modifiedHeaders
'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
- 'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
- 'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
@@ -151,13 +145,10 @@ class SecurityHeadersTest extends TestCase {
];
}
- /**
- * @dataProvider dataFailure
- */
+ #[\PHPUnit\Framework\Attributes\DataProvider('dataFailure')]
public function testFailure(array $headers, string $msg): void {
$headers = array_merge(
[
- 'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff',
'X-Robots-Tag' => 'noindex, nofollow',
'X-Frame-Options' => 'SAMEORIGIN',