SONAR-8247 Fix security headers

2 files changed, 42 insertions, 3 deletions

diff --git a/it/it-tests/src/test/java/it/Category4Suite.java b/it/it-tests/src/test/java/it/Category4Suite.java
index 9d9c8b61501..41c4373f731 100644
--- a/it/it-tests/src/test/java/it/Category4Suite.java
+++ b/it/it-tests/src/test/java/it/Category4Suite.java
@@ -29,7 +29,7 @@ import it.duplication.CrossProjectDuplicationsOnRemoveFileTest;
 import it.duplication.CrossProjectDuplicationsTest;
 import it.duplication.DuplicationsTest;
 import it.duplication.NewDuplicationsTest;
-import it.http.HttpHeadersTest;
+import it.serverSystem.HttpHeadersTest;
 import it.projectComparison.ProjectComparisonTest;
 import it.projectEvent.EventTest;
 import it.projectSearch.SearchProjectsTest;
diff --git a/it/it-tests/src/test/java/it/http/HttpHeadersTest.java b/it/it-tests/src/test/java/it/serverSystem/HttpHeadersTest.java
index bf06af57216..79f539a8a80 100644
--- a/it/it-tests/src/test/java/it/http/HttpHeadersTest.java
+++ b/it/it-tests/src/test/java/it/serverSystem/HttpHeadersTest.java
@@ -17,8 +17,7 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-
-package it.http;
+package it.serverSystem;
 
 import com.google.common.base.Throwables;
 import com.sonar.orchestrator.Orchestrator;
@@ -77,6 +76,36 @@ public class HttpHeadersTest {
     assertCacheInBrowser(httpResponse);
   }
 
+  @Test
+  public void verify_security_headers_on_base_url() throws Exception {
+    verifySecurityHeaders(call(orchestrator.getServer().getUrl() + "/"));
+  }
+
+  @Test
+  public void verify_security_headers_on_ws() throws Exception {
+    verifySecurityHeaders(call(orchestrator.getServer().getUrl() + "/api/issues/search"));
+  }
+
+  @Test
+  public void verify_security_headers_on_ruby_ws() throws Exception {
+    verifySecurityHeaders(call(orchestrator.getServer().getUrl() + "/api/resources/index"));
+  }
+
+  @Test
+  public void verify_security_headers_on_images() throws Exception {
+    verifySecurityHeaders(call(orchestrator.getServer().getUrl() + "/images/logo.svg"));
+  }
+
+  @Test
+  public void verify_security_headers_on_css() throws Exception {
+    verifySecurityHeaders(call(orchestrator.getServer().getUrl() + "/css/sonar.css"));
+  }
+
+  @Test
+  public void verify_security_headers_on_js() throws Exception {
+    verifySecurityHeaders(call(orchestrator.getServer().getUrl() + "/js/bundles/main.js"));
+  }
+
   private static void assertCacheInBrowser(Response httpResponse) {
     CacheControl cacheControl = httpResponse.cacheControl();
     assertThat(cacheControl.mustRevalidate()).isFalse();
@@ -91,6 +120,16 @@ public class HttpHeadersTest {
     assertThat(cacheControl.noStore()).isTrue();
   }
 
+  /**
+   * SONAR-8247
+   */
+  private static void verifySecurityHeaders(Response httpResponse) {
+    assertThat(httpResponse.isSuccessful()).isTrue();
+    assertThat(httpResponse.headers().get("X-Frame-Options")).isEqualTo("SAMEORIGIN");
+    assertThat(httpResponse.headers().get("X-XSS-Protection")).isEqualTo("1; mode=block");
+    assertThat(httpResponse.headers().get("X-Content-Type-Options")).isEqualTo("nosniff");
+  }
+
   private static Response call(String url) {
     Request request = new Request.Builder().get().url(url).build();
     try {