Skip to content

Commit

Permalink
PP-5846: assert csp behaviour; clean up naming
Browse files Browse the repository at this point in the history
  • Loading branch information
@sfount
sfount committed Nov 18, 2019
1 parent 80dcdd6 commit 0710638
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 10 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ GOV.UK Pay Frontend application (Node.js)
| `WORLDPAY_3DS_FLEX_CHALLENGE_TEST_URL` | X | `https://secure-test.worldpay.com/shopper/3ds/challenge.html` | Pointing to Worldpay's TEST 3ds flex challenge URL. |
| `WORLDPAY_3DS_FLEX_CHALLENGE_LIVE_URL` | X | `https://centinelapi.cardinalcommerce.com/V2/Cruise/StepUp` | Pointing to Worldpay's LIVE 3ds flex challenge URL. |
| `CSP_SEND_HEADER` | | false/undefined | Apply card payment contest security policy headers. |
| `CSP_ENFORCE_VIOLATIONS` | | false/undefined | Browser will block content security policy violations if set to true, default is to only report on violations. |
| `CSP_ENFORCE` | | false/undefined | Browser will block content security policy violations if set to true, default is to only report on violations. |
| `CSP_REPORT_URI` | | | URI to receive CSP violation reports. |

## Licence
Expand Down
10 changes: 5 additions & 5 deletions app/middleware/csp.js
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
const helmet = require('helmet')

const applyCspRulesEnabled = process.env.CSP_SEND_HEADER === 'true'
const blockCspViolations = process.env.CSP_ENFORCE_VIOLATIONS === 'true'
const sendCspHeader = process.env.CSP_SEND_HEADER === 'true'
const enforceCsp = process.env.CSP_ENFORCE === 'true'
const cspReportUri = process.env.CSP_REPORT_URI
const { environment } = process.env

Expand All @@ -11,9 +11,9 @@ const csp = helmet.contentSecurityPolicy({
directives: {
reportUri: sentryCspReportUri
},
reportOnly: !blockCspViolations
reportOnly: !enforceCsp
})

const skipCSPRules = (req, res, next) => { next() }
const skipSendingCspHeader = (req, res, next) => { next() }

module.exports = applyCspRulesEnabled ? csp : skipCSPRules
module.exports = sendCspHeader ? csp : skipSendingCspHeader
20 changes: 16 additions & 4 deletions test/middleware/csp_test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ const requireHelper = function requireHelper (module) {
}

describe('CSP middleware', () => {
it('should not apply rules if the feature is switched off', () => {
it('should not set the Content-Security-Policy header if the feature is switched off', () => {
process.env.CSP_SEND_HEADER = 'false'
const csp = requireHelper('../../app/middleware/csp')

Expand All @@ -27,15 +27,27 @@ describe('CSP middleware', () => {
expect(response.setHeader.called).to.be.false
})

it('should apply rules if the feature is switched on', () => {
it('should set Report-Only on Content-Security-Policy if enforce policy is switched off', () => {
process.env.CSP_SEND_HEADER = 'true'
process.env.CSP_ENFORCE = 'false'
const csp = requireHelper('../../app/middleware/csp')

const next = sinon.spy()
const response = { setHeader: sinon.spy() }
csp(mockRequest, response, next)

expect(next.called).to.be.true
expect(response.setHeader.called).to.be.true
sinon.assert.calledWith(response.setHeader, 'Content-Security-Policy-Report-Only')
})

it('should set standard Content-Security-Policy header (enforced) if enforce policy is switched on', () => {
process.env.CSP_SEND_HEADER = 'true'
process.env.CSP_ENFORCE = 'true'
const csp = requireHelper('../../app/middleware/csp')

const next = sinon.spy()
const response = { setHeader: sinon.spy() }
csp(mockRequest, response, next)

sinon.assert.calledWith(response.setHeader, 'Content-Security-Policy')
})
})

0 comments on commit 0710638

Please sign in to comment.