Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update headers tests with new ones

Browse source
This commit is contained in:
Théophile Diot 2024-06-25 12:19:48 +01:00
parent 44375f9c06
commit ac5569132c
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
5 changed files with 74 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
tests/core/headers/docker-compose.test.yml
View file

@ -8,15 +8,19 @@ services:
GENERATE_SELF_SIGNED_SSL: "no"
CUSTOM_HEADER: ""
REMOVE_HEADERS: "Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version"
KEEP_UPSTREAM_HEADERS: "Content-Security-Policy X-Frame-Options"
STRICT_TRANSPORT_SECURITY: "max-age=31536000; includeSubDomains; preload"
COOKIE_FLAGS: "* HttpOnly SameSite=Lax"
COOKIE_AUTO_SECURE_FLAG: "yes"
CONTENT_SECURITY_POLICY: "object-src 'none'; form-action 'self'; frame-ancestors 'self';"
CONTENT_SECURITY_POLICY_REPORT_ONLY: "no"
REFERRER_POLICY: "strict-origin-when-cross-origin"
PERMISSIONS_POLICY: "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
DISABLE_FLOC: "yes"
X_FRAME_OPTIONS: "SAMEORIGIN"
X_CONTENT_TYPE_OPTIONS: "nosniff"
X_XSS_PROTECTION: "1; mode=block"
X_DNS_PREFETCH_CONTROL: "off"
extra_hosts:
- "www.example.com:192.168.0.2"
networks:

4
tests/core/headers/docker-compose.yml
View file

@ -37,15 +37,19 @@ services:
# ? HEADERS settings
CUSTOM_HEADER: ""
REMOVE_HEADERS: "Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version"
KEEP_UPSTREAM_HEADERS: "Content-Security-Policy X-Frame-Options"
STRICT_TRANSPORT_SECURITY: "max-age=31536000; includeSubDomains; preload"
COOKIE_FLAGS: "* HttpOnly SameSite=Lax"
COOKIE_AUTO_SECURE_FLAG: "yes"
CONTENT_SECURITY_POLICY: "object-src 'none'; form-action 'self'; frame-ancestors 'self';"
CONTENT_SECURITY_POLICY_REPORT_ONLY: "no"
REFERRER_POLICY: "strict-origin-when-cross-origin"
PERMISSIONS_POLICY: "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
DISABLE_FLOC: "yes"
X_FRAME_OPTIONS: "SAMEORIGIN"
X_CONTENT_TYPE_OPTIONS: "nosniff"
X_XSS_PROTECTION: "1; mode=block"
X_DNS_PREFETCH_CONTROL: "off"
CUSTOM_CONF_SERVER_HTTP_ready: |
location /ready {
default_type 'text/plain';

30
tests/core/headers/main.py
View file

@ -36,7 +36,8 @@ try:
custom_headers = getenv("CUSTOM_HEADER", "")
remove_headers = getenv("REMOVE_HEADERS", "Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version")
strict_transport_security = getenv("STRICT_TRANSPORT_SECURITY", "max-age=31536000")
keep_upstream_headers = getenv("KEEP_UPSTREAM_HEADERS", "Content-Security-Policy X-Frame-Options")
strict_transport_security = getenv("STRICT_TRANSPORT_SECURITY", "max-age=31536000; includeSubDomains; preload")
cookie_flags = getenv("COOKIE_FLAGS", "* HttpOnly SameSite=Lax")
cookie_flags_1 = getenv("COOKIE_FLAGS_1")
cookie_auto_secure_flag = getenv("COOKIE_AUTO_SECURE_FLAG", "yes") == "yes"
@ -44,16 +45,18 @@ try:
"CONTENT_SECURITY_POLICY",
"object-src 'none'; form-action 'self'; frame-ancestors 'self';",
)
content_security_policy_report_only = getenv("CONTENT_SECURITY_POLICY_REPORT_ONLY", "no") == "yes"
referrer_policy = getenv("REFERRER_POLICY", "strict-origin-when-cross-origin")
permissions_policy = getenv(
"PERMISSIONS_POLICY",
"accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(),"
+ " execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(),"
+ " navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()",
)
) + (", interest-cohort=()" if getenv("DISABLE_FLOC", "yes") == "yes" else "")
x_frame_options = getenv("X_FRAME_OPTIONS", "SAMEORIGIN")
x_content_type_options = getenv("X_CONTENT_TYPE_OPTIONS", "nosniff")
x_xss_protection = getenv("X_XSS_PROTECTION", "1; mode=block")
x_dns_prefetch_control = getenv("X_DNS_PREFETCH_CONTROL", "off")
print(
f" Sending a HEAD request to http{'s' if ssl else ''}://www.example.com ...",
@ -94,9 +97,12 @@ try:
flush=True,
)
exit(1)
elif response.headers.get("Content-Security-Policy") != content_security_policy:
elif (
response.headers.get("Content-Security-Policy-Report-Only" if content_security_policy_report_only else "Content-Security-Policy")
!= content_security_policy
):
print(
f'❌ Header "Content-Security-Policy" doesn\'t have the right value. {response.headers.get("Content-Security-Policy", "missing header")} (header) != {content_security_policy} (env), exiting ...\nheaders: {response.headers}',
f'❌ Header "{"Content-Security-Policy-Report-Only" if content_security_policy_report_only else "Content-Security-Policy"}" doesn\'t have the right value. {response.headers.get("Content-Security-Policy-Report-Only" if content_security_policy_report_only else "Content-Security-Policy", "missing header")} (header) != {content_security_policy} (env), exiting ...\nheaders: {response.headers}',
flush=True,
)
exit(1)
@ -106,12 +112,20 @@ try:
flush=True,
)
exit(1)
elif response.headers.get("Permissions-Policy") != permissions_policy:
elif ("Permissions-Policy" not in keep_upstream_headers and keep_upstream_headers != "*") and response.headers.get(
"Permissions-Policy"
) != permissions_policy:
print(
f'❌ Header "Permissions-Policy" doesn\'t have the right value. {response.headers.get("Permissions-Policy", "missing header")} (header) != {permissions_policy} (env), exiting ...\nheaders: {response.headers}',
flush=True,
)
exit(1)
elif ("Permissions-Policy" in keep_upstream_headers or keep_upstream_headers == "*") and response.headers.get("Permissions-Policy") == permissions_policy:
print(
f'❌ Header "Permissions-Policy" was not kept even though it was supposed to be. {response.headers.get("Permissions-Policy", "missing header")} (header) != {permissions_policy} (env), exiting ...\nheaders: {response.headers}',
flush=True,
)
exit(1)
elif response.headers.get("X-Frame-Options") != x_frame_options:
print(
f'❌ Header "X-Frame-Options" doesn\'t have the right value. {response.headers.get("X-Frame-Options", "missing header")} (header) != {x_frame_options} (env), exiting ...\nheaders: {response.headers}',
@ -130,6 +144,12 @@ try:
flush=True,
)
exit(1)
elif response.headers.get("X-DNS-Prefetch-Control") != x_dns_prefetch_control:
print(
f'❌ Header "X-DNS-Prefetch-Control" doesn\'t have the right value. {response.headers.get("X-DNS-Prefetch-Control", "missing header")} (header) != {x_dns_prefetch_control} (env), exiting ...\nheaders: {response.headers}',
flush=True,
)
exit(1)
if not response.cookies:
print("❌ No cookies were set, exiting ...", flush=True)

40
tests/core/headers/test.sh
View file

@ -38,15 +38,19 @@ else
echo "CUSTOM_HEADER=" | sudo tee -a /etc/bunkerweb/variables.env
echo "REMOVE_HEADERS=Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version" | sudo tee -a /etc/bunkerweb/variables.env
echo "KEEP_UPSTREAM_HEADERS=Content-Security-Policy X-Frame-Options" | sudo tee -a /etc/bunkerweb/variables.env
echo "STRICT_TRANSPORT_SECURITY=max-age=31536000; includeSubDomains; preload" | sudo tee -a /etc/bunkerweb/variables.env
echo "COOKIE_FLAGS=* HttpOnly SameSite=Lax" | sudo tee -a /etc/bunkerweb/variables.env
echo "COOKIE_AUTO_SECURE_FLAG=yes" | sudo tee -a /etc/bunkerweb/variables.env
echo "CONTENT_SECURITY_POLICY=object-src 'none'; form-action 'self'; frame-ancestors 'self';" | sudo tee -a /etc/bunkerweb/variables.env
echo "CONTENT_SECURITY_POLICY_REPORT_ONLY=no" | sudo tee -a /etc/bunkerweb/variables.env
echo "REFERRER_POLICY=strict-origin-when-cross-origin" | sudo tee -a /etc/bunkerweb/variables.env
echo "PERMISSIONS_POLICY=accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()" | sudo tee -a /etc/bunkerweb/variables.env
echo "DISABLE_FLOC=yes" | sudo tee -a /etc/bunkerweb/variables.env
echo "X_FRAME_OPTIONS=SAMEORIGIN" | sudo tee -a /etc/bunkerweb/variables.env
echo "X_CONTENT_TYPE_OPTIONS=nosniff" | sudo tee -a /etc/bunkerweb/variables.env
echo "X_XSS_PROTECTION=1; mode=block" | sudo tee -a /etc/bunkerweb/variables.env
echo "X_DNS_PREFETCH_CONTROL=off" | sudo tee -a /etc/bunkerweb/variables.env
sudo cp ready.conf /etc/bunkerweb/configs/server-http
fi
@ -58,16 +62,20 @@ cleanup_stack () {
if [ "$integration" == "docker" ] ; then
find . -type f -name 'docker-compose.*' -exec sed -i 's@CUSTOM_HEADER: "X-Test: test"@CUSTOM_HEADER: ""@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@REMOVE_HEADERS: ".*"$@REMOVE_HEADERS: "Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@KEEP_UPSTREAM_HEADERS: ".*"$@KEEP_UPSTREAM_HEADERS: "Content-Security-Policy X-Frame-Options"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@STRICT_TRANSPORT_SECURITY: "max-age=86400"@STRICT_TRANSPORT_SECURITY: "max-age=31536000; includeSubDomains; preload"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@COOKIE_FLAGS: ".*"$@COOKIE_FLAGS: "* HttpOnly SameSite=Lax"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@GENERATE_SELF_SIGNED_SSL: "yes"@GENERATE_SELF_SIGNED_SSL: "no"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@COOKIE_AUTO_SECURE_FLAG: "no"@COOKIE_AUTO_SECURE_FLAG: "yes"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CONTENT_SECURITY_POLICY: ".*"$@CONTENT_SECURITY_POLICY: "object-src '"'"'none'"'"'; form-action '"'"'self'"'"'; frame-ancestors '"'"'self'"'"';"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CONTENT_SECURITY_POLICY_REPORT_ONLY: ".*"$@CONTENT_SECURITY_POLICY_REPORT_ONLY: "no"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@REFERRER_POLICY: "no-referrer"@REFERRER_POLICY: "strict-origin-when-cross-origin"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@PERMISSIONS_POLICY: ".*"$@PERMISSIONS_POLICY: "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@DISABLE_FLOC: ".*"@DISABLE_FLOC: "yes"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_FRAME_OPTIONS: "DENY"@X_FRAME_OPTIONS: "SAMEORIGIN"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_CONTENT_TYPE_OPTIONS: ""@X_CONTENT_TYPE_OPTIONS: "nosniff"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_XSS_PROTECTION: "0"@X_XSS_PROTECTION: "1; mode=block"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_DNS_PREFETCH_CONTROL: ".*"@X_DNS_PREFETCH_CONTROL: "off"@' {} \;
if [[ $(sed '27!d' docker-compose.yml) = ' COOKIE_FLAGS_1: "bw_cookie SameSite=Lax"' ]] ; then
sed -i '27d' docker-compose.yml
@ -80,27 +88,35 @@ cleanup_stack () {
sudo sed -i 's@GENERATE_SELF_SIGNED_SSL=.*$@GENERATE_SELF_SIGNED_SSL=no@' /etc/bunkerweb/variables.env
sudo sed -i 's@CUSTOM_HEADER=.*$@CUSTOM_HEADER=@' /etc/bunkerweb/variables.env
sudo sed -i 's@REMOVE_HEADERS=.*$@REMOVE_HEADERS=Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version@' /etc/bunkerweb/variables.env
sudo sed -i 's@KEEP_UPSTREAM_HEADERS=.*$@KEEP_UPSTREAM_HEADERS=Content-Security-Policy X-Frame-Options@' /etc/bunkerweb/variables.env
sudo sed -i 's@STRICT_TRANSPORT_SECURITY=.*$@STRICT_TRANSPORT_SECURITY=max-age=31536000; includeSubDomains; preload@' /etc/bunkerweb/variables.env
sudo sed -i 's@COOKIE_FLAGS=.*$@COOKIE_FLAGS=* HttpOnly SameSite=Lax@' /etc/bunkerweb/variables.env
sudo sed -i 's@COOKIE_AUTO_SECURE_FLAG=.*$@COOKIE_AUTO_SECURE_FLAG=yes@' /etc/bunkerweb/variables.env
sudo sed -i 's@CONTENT_SECURITY_POLICY=.*$@CONTENT_SECURITY_POLICY=object-src '"'"'none'"'"'; form-action '"'"'self'"'"'; frame-ancestors '"'"'self'"'"';@' /etc/bunkerweb/variables.env
sudo sed -i 's@CONTENT_SECURITY_POLICY_REPORT_ONLY=.*$@CONTENT_SECURITY_POLICY_REPORT_ONLY=no@' /etc/bunkerweb/variables.env
sudo sed -i 's@REFERRER_POLICY=.*$@REFERRER_POLICY=strict-origin-when-cross-origin@' /etc/bunkerweb/variables.env
sudo sed -i 's@PERMISSIONS_POLICY=.*$@PERMISSIONS_POLICY=accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()@' /etc/bunkerweb/variables.env
sudo sed -i 's@DISABLE_FLOC=.*$@DISABLE_FLOC=yes@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_FRAME_OPTIONS=.*$@X_FRAME_OPTIONS=SAMEORIGIN@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_CONTENT_TYPE_OPTIONS=.*$@X_CONTENT_TYPE_OPTIONS=nosniff@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_XSS_PROTECTION=.*$@X_XSS_PROTECTION=1; mode=block@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_DNS_PREFETCH_CONTROL=.*$@X_DNS_PREFETCH_CONTROL=off@' /etc/bunkerweb/variables.env
unset GENERATE_SELF_SIGNED_SSL
unset CUSTOM_HEADER
unset REMOVE_HEADERS
unset KEEP_UPSTREAM_HEADERS
unset STRICT_TRANSPORT_SECURITY
unset COOKIE_FLAGS
unset COOKIE_AUTO_SECURE_FLAG
unset CONTENT_SECURITY_POLICY
unset CONTENT_SECURITY_POLICY_REPORT_ONLY
unset REFERRER_POLICY
unset PERMISSIONS_POLICY
unset DISABLE_FLOC
unset X_FRAME_OPTIONS
unset X_CONTENT_TYPE_OPTIONS
unset X_XSS_PROTECTION
unset X_DNS_PREFETCH_CONTROL
if [[ $(sudo tail -n 1 /etc/bunkerweb/variables.env) = 'COOKIE_FLAGS_1=bw_cookie SameSite=Lax' ]] ; then
sudo sed -i '$ d' /etc/bunkerweb/variables.env
@ -142,30 +158,39 @@ do
find . -type f -name 'docker-compose.*' -exec sed -i 's@REMOVE_HEADERS: ".*"$@REMOVE_HEADERS: "X-Powered-By X-AspNet-Version X-AspNetMvc-Version"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@STRICT_TRANSPORT_SECURITY: "max-age=31536000; includeSubDomains; preload"@STRICT_TRANSPORT_SECURITY: "max-age=86400"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CONTENT_SECURITY_POLICY: ".*"$@CONTENT_SECURITY_POLICY: "object-src '"'"'none'"'"'; frame-ancestors '"'"'self'"'"';"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CONTENT_SECURITY_POLICY_REPORT_ONLY: "no"@CONTENT_SECURITY_POLICY_REPORT_ONLY: "yes"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@REFERRER_POLICY: "strict-origin-when-cross-origin"@REFERRER_POLICY: "no-referrer"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@PERMISSIONS_POLICY: ".*"$@PERMISSIONS_POLICY: "geolocation=(self), microphone=()"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@DISABLE_FLOC: "yes"@DISABLE_FLOC: "no"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_FRAME_OPTIONS: "SAMEORIGIN"@X_FRAME_OPTIONS: "DENY"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_CONTENT_TYPE_OPTIONS: "nosniff"@X_CONTENT_TYPE_OPTIONS: ""@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_XSS_PROTECTION: "1; mode=block"@X_XSS_PROTECTION: "0"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_DNS_PREFETCH_CONTROL: "off"@X_DNS_PREFETCH_CONTROL: "on"@' {} \;
else
sudo sed -i 's@CUSTOM_HEADER=.*$@CUSTOM_HEADER=X-Test: test@' /etc/bunkerweb/variables.env
sudo sed -i 's@REMOVE_HEADERS=.*$@REMOVE_HEADERS=X-Powered-By X-AspNet-Version X-AspNetMvc-Version@' /etc/bunkerweb/variables.env
sudo sed -i 's@STRICT_TRANSPORT_SECURITY=.*$@STRICT_TRANSPORT_SECURITY=max-age=86400@' /etc/bunkerweb/variables.env
sudo sed -i 's@CONTENT_SECURITY_POLICY=.*$@CONTENT_SECURITY_POLICY=object-src '"'"'none'"'"'; frame-ancestors '"'"'self'"'"';@' /etc/bunkerweb/variables.env
sudo sed -i 's@CONTENT_SECURITY_POLICY_REPORT_ONLY=.*$@CONTENT_SECURITY_POLICY_REPORT_ONLY=yes@' /etc/bunkerweb/variables.env
sudo sed -i 's@REFERRER_POLICY=.*$@REFERRER_POLICY=no-referrer@' /etc/bunkerweb/variables.env
sudo sed -i 's@PERMISSIONS_POLICY=.*$@PERMISSIONS_POLICY=geolocation=(self), microphone=()@' /etc/bunkerweb/variables.env
sudo sed -i 's@DISABLE_FLOC=.*$@DISABLE_FLOC=no@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_FRAME_OPTIONS=.*$@X_FRAME_OPTIONS=DENY@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_CONTENT_TYPE_OPTIONS=.*$@X_CONTENT_TYPE_OPTIONS=@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_XSS_PROTECTION=.*$@X_XSS_PROTECTION=0@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_DNS_PREFETCH_CONTROL=.*$@X_DNS_PREFETCH_CONTROL=on@' /etc/bunkerweb/variables.env
export CUSTOM_HEADER="X-Test: test"
export REMOVE_HEADERS="X-Powered-By X-AspNet-Version X-AspNetMvc-Version"
export STRICT_TRANSPORT_SECURITY="max-age=86400"
export CONTENT_SECURITY_POLICY="object-src 'none'; frame-ancestors 'self';"
export CONTENT_SECURITY_POLICY_REPORT_ONLY="yes"
export REFERRER_POLICY="no-referrer"
export PERMISSIONS_POLICY="geolocation=(self), microphone=()"
export DISABLE_FLOC="no"
export X_FRAME_OPTIONS="DENY"
export X_CONTENT_TYPE_OPTIONS=""
export X_XSS_PROTECTION="0"
export X_DNS_PREFETCH_CONTROL="on"
fi
elif [ "$test" = "no_httponly_flag" ] ; then
echo "🎛️ Running tests without HttpOnly flag for cookies and with default values ..."
@ -173,48 +198,63 @@ do
find . -type f -name 'docker-compose.*' -exec sed -i 's@COOKIE_FLAGS: ".*"$@COOKIE_FLAGS: "* SameSite=Lax"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CUSTOM_HEADER: "X-Test: test"@CUSTOM_HEADER: ""@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@REMOVE_HEADERS: ".*"$@REMOVE_HEADERS: "Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@KEEP_UPSTREAM_HEADERS: ".*"$@KEEP_UPSTREAM_HEADERS: "Content-Security-Policy Permission-Policy X-Frame-Options"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@STRICT_TRANSPORT_SECURITY: "max-age=86400"@STRICT_TRANSPORT_SECURITY: "max-age=31536000; includeSubDomains; preload"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@GENERATE_SELF_SIGNED_SSL: "yes"@GENERATE_SELF_SIGNED_SSL: "no"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CONTENT_SECURITY_POLICY: ".*"$@CONTENT_SECURITY_POLICY: "object-src '"'"'none'"'"'; form-action '"'"'self'"'"'; frame-ancestors '"'"'self'"'"';"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@CONTENT_SECURITY_POLICY_REPORT_ONLY: "no"@CONTENT_SECURITY_POLICY_REPORT_ONLY: "yes"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@REFERRER_POLICY: "no-referrer"@REFERRER_POLICY: "strict-origin-when-cross-origin"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@PERMISSIONS_POLICY: ".*"$@PERMISSIONS_POLICY: "accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@DISABLE_FLOC: "yes"@DISABLE_FLOC: "no"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_FRAME_OPTIONS: "DENY"@X_FRAME_OPTIONS: "SAMEORIGIN"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_CONTENT_TYPE_OPTIONS: ""@X_CONTENT_TYPE_OPTIONS: "nosniff"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_XSS_PROTECTION: "0"@X_XSS_PROTECTION: "1; mode=block"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@X_DNS_PREFETCH_CONTROL: "off"@X_DNS_PREFETCH_CONTROL: "on"@' {} \;
else
sudo sed -i 's@COOKIE_FLAGS=.*$@COOKIE_FLAGS=* SameSite=Lax@' /etc/bunkerweb/variables.env
sudo sed -i 's@CUSTOM_HEADER=.*$@CUSTOM_HEADER=@' /etc/bunkerweb/variables.env
sudo sed -i 's@REMOVE_HEADERS=.*$@REMOVE_HEADERS=Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version@' /etc/bunkerweb/variables.env
sudo sed -i 's@KEEP_UPSTREAM_HEADERS=.*$@KEEP_UPSTREAM_HEADERS=Content-Security-Policy Permission-Policy X-Frame-Options@' /etc/bunkerweb/variables.env
sudo sed -i 's@STRICT_TRANSPORT_SECURITY=.*$@STRICT_TRANSPORT_SECURITY=max-age=31536000; includeSubDomains; preload@' /etc/bunkerweb/variables.env
sudo sed -i 's@GENERATE_SELF_SIGNED_SSL=.*$@GENERATE_SELF_SIGNED_SSL=no@' /etc/bunkerweb/variables.env
sudo sed -i 's@CONTENT_SECURITY_POLICY=.*$@CONTENT_SECURITY_POLICY=object-src '"'"'none'"'"'; form-action '"'"'self'"'"'; frame-ancestors '"'"'self'"'"';@' /etc/bunkerweb/variables.env
sudo sed -i 's@CONTENT_SECURITY_POLICY_REPORT_ONLY=.*$@CONTENT_SECURITY_POLICY_REPORT_ONLY=yes@' /etc/bunkerweb/variables.env
sudo sed -i 's@REFERRER_POLICY=.*$@REFERRER_POLICY=strict-origin-when-cross-origin@' /etc/bunkerweb/variables.env
sudo sed -i 's@PERMISSIONS_POLICY=.*$@PERMISSIONS_POLICY=accelerometer=(), ambient-light-sensor=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), compute-pressure=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()@' /etc/bunkerweb/variables.env
sudo sed -i 's@DISABLE_FLOC=.*$@DISABLE_FLOC=no@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_FRAME_OPTIONS=.*$@X_FRAME_OPTIONS=SAMEORIGIN@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_CONTENT_TYPE_OPTIONS=.*$@X_CONTENT_TYPE_OPTIONS=nosniff@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_XSS_PROTECTION=.*$@X_XSS_PROTECTION=1; mode=block@' /etc/bunkerweb/variables.env
sudo sed -i 's@X_DNS_PREFETCH_CONTROL=.*$@X_DNS_PREFETCH_CONTROL=on@' /etc/bunkerweb/variables.env
export COOKIE_FLAGS="* SameSite=Lax"
export KEEP_UPSTREAM_HEADERS="Content-Security-Policy Permission-Policy X-Frame-Options"
unset CUSTOM_HEADER
unset REMOVE_HEADERS
unset STRICT_TRANSPORT_SECURITY
unset CONTENT_SECURITY_POLICY
unset CONTENT_SECURITY_POLICY_REPORT_ONLY
unset REFERRER_POLICY
unset PERMISSIONS_POLICY
unset DISABLE_FLOC
unset X_FRAME_OPTIONS
unset X_CONTENT_TYPE_OPTIONS
unset X_XSS_PROTECTION
unset X_DNS_PREFETCH_CONTROL
fi
elif [ "$test" = "multiple_no_httponly_flag" ] ; then
echo "🎛️ Running tests with HttpOnly flag overridden for cookie \"bw_cookie\" and default cookies flags ..."
if [ "$integration" == "docker" ] ; then
find . -type f -name 'docker-compose.*' -exec sed -i 's@COOKIE_FLAGS: ".*"$@COOKIE_FLAGS: "* HttpOnly SameSite=Lax"@' {} \;
find . -type f -name 'docker-compose.*' -exec sed -i 's@KEEP_UPSTREAM_HEADERS: ".*"$@KEEP_UPSTREAM_HEADERS: "Content-Security-Policy X-Frame-Options"@' {} \;
sed -i '27i \ COOKIE_FLAGS_1: "bw_cookie SameSite=Lax"' docker-compose.yml
sed -i '13i \ COOKIE_FLAGS_1: "bw_cookie SameSite=Lax"' docker-compose.test.yml
else
sudo sed -i 's@COOKIE_FLAGS=.*$@COOKIE_FLAGS=* HttpOnly SameSite=Lax@' /etc/bunkerweb/variables.env
echo "COOKIE_FLAGS_1=bw_cookie SameSite=Lax" | sudo tee -a /etc/bunkerweb/variables.env
sudo sed -i 's@KEEP_UPSTREAM_HEADERS=.*$@KEEP_UPSTREAM_HEADERS=Content-Security-Policy X-Frame-Options@' /etc/bunkerweb/variables.env
export COOKIE_FLAGS="* HttpOnly SameSite=Lax"
export COOKIE_FLAGS_1="bw_cookie SameSite=Lax"
unset KEEP_UPSTREAM_HEADERS
fi
elif [ "$test" = "with_ssl" ] ; then
echo "🎛️ Running tests with ssl ..."

1
tests/core/headers/www/index.php
View file

@ -1,3 +1,4 @@
<?php
setcookie("bw_cookie", "test", time() + (86400 * 30), "/"); // 86400 = 1 day
header("Permission-Policy: geolocation=()")
?>