vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-20 06:20:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(gateway): add Permissions-Policy header to default security headers

Browse Source
This commit is contained in:
habakan
2026-03-01 10:02:09 +09:00
committed by George Pickett
parent 0d97101665
commit 9209b77898
2 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/gateway/http-common.test.ts Normal file
View File

@@ -0,0 +1,49 @@
import { describe, expect, it } from "vitest";
import { setDefaultSecurityHeaders } from "./http-common.js";
import { makeMockHttpResponse } from "./test-http-response.js";
describe("setDefaultSecurityHeaders", () => {
it("sets X-Content-Type-Options", () => {
const { res, setHeader } = makeMockHttpResponse();
setDefaultSecurityHeaders(res);
expect(setHeader).toHaveBeenCalledWith("X-Content-Type-Options", "nosniff");
});
it("sets Referrer-Policy", () => {
const { res, setHeader } = makeMockHttpResponse();
setDefaultSecurityHeaders(res);
expect(setHeader).toHaveBeenCalledWith("Referrer-Policy", "no-referrer");
});
it("sets Permissions-Policy", () => {
const { res, setHeader } = makeMockHttpResponse();
setDefaultSecurityHeaders(res);
expect(setHeader).toHaveBeenCalledWith(
"Permissions-Policy",
"camera=(), microphone=(), geolocation=()",
);
});
it("sets Strict-Transport-Security when provided", () => {
const { res, setHeader } = makeMockHttpResponse();
setDefaultSecurityHeaders(res, {
strictTransportSecurity: "max-age=63072000; includeSubDomains; preload",
});
expect(setHeader).toHaveBeenCalledWith(
"Strict-Transport-Security",
"max-age=63072000; includeSubDomains; preload",
);
});
it("does not set Strict-Transport-Security when not provided", () => {
const { res, setHeader } = makeMockHttpResponse();
setDefaultSecurityHeaders(res);
expect(setHeader).not.toHaveBeenCalledWith("Strict-Transport-Security", expect.anything());
});
it("does not set Strict-Transport-Security for empty string", () => {
const { res, setHeader } = makeMockHttpResponse();
setDefaultSecurityHeaders(res, { strictTransportSecurity: "" });
expect(setHeader).not.toHaveBeenCalledWith("Strict-Transport-Security", expect.anything());
});
});

1
src/gateway/http-common.ts
View File

@@ -14,6 +14,7 @@ export function setDefaultSecurityHeaders(
) {
res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("Referrer-Policy", "no-referrer");
res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
const strictTransportSecurity = opts?.strictTransportSecurity;
if (typeof strictTransportSecurity === "string" && strictTransportSecurity.length > 0) {
res.setHeader("Strict-Transport-Security", strictTransportSecurity);