RubyGems - secure_headers - Versions diffs - 2.5.3 → 3.0.0.pre - Mend

secure_headers 2.5.3 → 3.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

data/spec/lib/secure_headers_spec.rb CHANGED Viewed

@@ -1,378 +1,240 @@
 require 'spec_helper'
-describe SecureHeaders do
-  subject {DummyClass.new}
-  let(:headers) {double}
-  let(:response) {double(:headers => headers)}
-  let(:max_age) {99}
-  let(:request) {double(:ssl? => true, :url => 'https://example.com')}
-  before(:each) do
-    reset_config
-    stub_user_agent(nil)
-    allow(headers).to receive(:[])
-    allow(subject).to receive(:response).and_return(response)
-    allow(subject).to receive(:request).and_return(request)
-  end
-  def stub_user_agent val
-    allow(request).to receive_message_chain(:env, :[]).and_return(val)
-  end
-  def reset_config
-    ::SecureHeaders::Configuration.default do |config|
-      config.hpkp = nil
-      config.hsts = nil
-      config.x_frame_options = nil
-      config.x_content_type_options = nil
-      config.x_xss_protection = nil
-      config.csp = nil
-      config.x_download_options = nil
-      config.x_permitted_cross_domain_policies = nil
-    end
-  end
-  def set_security_headers(subject)
-    subject.set_csp_header
-    subject.set_hpkp_header
-    subject.set_hsts_header
-    subject.set_x_frame_options_header
-    subject.set_x_content_type_options_header
-    subject.set_x_xss_protection_header
-    subject.set_x_download_options_header
-    subject.set_x_permitted_cross_domain_policies_header
-  end
-  describe "#set_header" do
-    it "accepts name/value pairs" do
-      should_assign_header("X-Hipster-Ipsum", "kombucha")
-      subject.send(:set_header, "X-Hipster-Ipsum", "kombucha")
-    end
-    it "accepts header objects" do
-      should_assign_header("Strict-Transport-Security", SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-      subject.send(:set_header, SecureHeaders::StrictTransportSecurity.new)
-    end
-  end
-  describe "#set_security_headers" do
-    USER_AGENTS.each do |name, useragent|
-      it "sets all default headers for #{name} (smoke test)" do
-        stub_user_agent(useragent)
-        number_of_headers = 7
-        expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
-        subject.set_csp_header
-        subject.set_x_frame_options_header
-        subject.set_hsts_header
-        subject.set_hpkp_header
-        subject.set_x_xss_protection_header
-        subject.set_x_content_type_options_header
-        subject.set_x_download_options_header
-        subject.set_x_permitted_cross_domain_policies_header
+module SecureHeaders
+  describe SecureHeaders do
+    example_hpkp_config = {
+      max_age: 1_000_000,
+      include_subdomains: true,
+      report_uri: '//example.com/uri-directive',
+      pins: [
+        { sha256: 'abc' },
+        { sha256: '123' }
+      ]
+    }
+    example_hpkp_config_value = %(max-age=1000000; pin-sha256="abc"; pin-sha256="123"; report-uri="//example.com/uri-directive"; includeSubDomains)
+    before(:each) do
+      reset_config
+      @request = Rack::Request.new("HTTP_X_FORWARDED_SSL" => "on")
+    end
+    it "raises a NotYetConfiguredError if default has not been set" do
+      expect do
+        SecureHeaders.header_hash_for(@request)
+      end.to raise_error(Configuration::NotYetConfiguredError)
+    end
+    it "raises a NotYetConfiguredError if trying to opt-out of unconfigured headers" do
+      expect do
+        SecureHeaders.opt_out_of_header(@request, CSP::CONFIG_KEY)
+      end.to raise_error(Configuration::NotYetConfiguredError)
+    end
+    describe "#header_hash_for" do
+      it "allows you to opt out of individual headers" do
+        Configuration.default
+        SecureHeaders.opt_out_of_header(@request, CSP::CONFIG_KEY)
+        hash = SecureHeaders.header_hash_for(@request)
+        expect(hash['Content-Security-Policy-Report-Only']).to be_nil
+        expect(hash['Content-Security-Policy']).to be_nil
       end
-    end
-    it "does not set the X-Content-Type-Options header if disabled" do
-      stub_user_agent(USER_AGENTS[:ie])
-      should_not_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME)
-      subject.set_x_content_type_options_header(false)
-    end
-    it "does not set the X-XSS-Protection header if disabled" do
-      should_not_assign_header(X_XSS_PROTECTION_HEADER_NAME)
-      subject.set_x_xss_protection_header(false)
-    end
-    it "does not set the X-Download-Options header if disabled" do
-      should_not_assign_header(XDO_HEADER_NAME)
-      subject.set_x_download_options_header(false)
-    end
-    it "does not set the X-Frame-Options header if disabled" do
-      should_not_assign_header(XFO_HEADER_NAME)
-      subject.set_x_frame_options_header(false)
-    end
-    it "does not set the X-Permitted-Cross-Domain-Policies header if disabled" do
-      should_not_assign_header(XPCDP_HEADER_NAME)
-      subject.set_x_permitted_cross_domain_policies_header(false)
-    end
-    it "does not set the HSTS header if disabled" do
-      should_not_assign_header(HSTS_HEADER_NAME)
-      subject.set_hsts_header(false)
-    end
-    it "does not set the HSTS header if request is over HTTP" do
-      allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
-      should_not_assign_header(HSTS_HEADER_NAME)
-      subject.set_hsts_header({:include_subdomains => true})
-    end
-    it "does not set the HPKP header if disabled" do
-      should_not_assign_header(HPKP_HEADER_NAME)
-      subject.set_hpkp_header
-    end
-    it "does not set the HPKP header if request is over HTTP" do
-      allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
-      should_not_assign_header(HPKP_HEADER_NAME)
-      subject.set_hpkp_header(:max_age => 1234)
-    end
-    it "does not set the CSP header if disabled" do
-      stub_user_agent(USER_AGENTS[:chrome])
-      should_not_assign_header(HEADER_NAME)
-      subject.set_csp_header(false)
-    end
-    it "saves the options to the env when using script hashes" do
-      opts = {
-        :default_src => "'self'",
-        :script_hash_middleware => true
-      }
-      stub_user_agent(USER_AGENTS[:chrome])
-      expect(SecureHeaders::ContentSecurityPolicy).to receive(:add_to_env)
-      subject.set_csp_header(opts)
-    end
-    context "when disabled by configuration settings" do
-      it "does not set any headers when disabled" do
-        ::SecureHeaders::Configuration.default do |config|
-          config.hsts = false
-          config.hpkp = false
-          config.x_frame_options = false
-          config.x_content_type_options = false
-          config.x_xss_protection = false
-          config.csp = false
-          config.x_download_options = false
-          config.x_permitted_cross_domain_policies = false
+      it "allows you to opt out entirely" do
+        Configuration.default
+        SecureHeaders.opt_out_of_all_protection(@request)
+        hash = SecureHeaders.header_hash_for(@request)
+        ALL_HEADER_CLASSES.each do |klass|
+          expect(hash[klass::CONFIG_KEY]).to be_nil
         end
-        expect(subject).not_to receive(:set_header)
-        set_security_headers(subject)
-        reset_config
       end
-    end
-  end
-  describe "SecureHeaders#header_hash" do
-    def expect_default_values(hash)
-      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-      expect(hash[XDO_HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-      expect(hash[HSTS_HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-      expect(hash[X_XSS_PROTECTION_HEADER_NAME]).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-      expect(hash[X_CONTENT_TYPE_OPTIONS_HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-      expect(hash[XPCDP_HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
-    end
+      it "allows you to override X-Frame-Options settings" do
+        Configuration.default
+        SecureHeaders.override_x_frame_options(@request, XFrameOptions::DENY)
+        hash = SecureHeaders.header_hash_for(@request)
+        expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::DENY)
+      end
-    it "produces a hash of headers given a hash as config" do
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
-      expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
-      expect_default_values(hash)
-    end
+      it "allows you to override opting out" do
+        Configuration.default do |config|
+          config.x_frame_options = OPT_OUT
+          config.csp = OPT_OUT
+        end
-    it "allows opting out" do
-      hash = SecureHeaders::header_hash(:csp => false, :hpkp => false)
-      expect(hash['Content-Security-Policy-Report-Only']).to be_nil
-      expect(hash['Content-Security-Policy']).to be_nil
-    end
+        SecureHeaders.override_x_frame_options(@request, XFrameOptions::SAMEORIGIN)
+        SecureHeaders.override_content_security_policy_directives(@request, default_src: %w(https:), script_src: %w('self'))
-    it "allows opting out with config" do
-      ::SecureHeaders::Configuration.default do |config|
-        config.hsts = false
-        config.csp = false
+        hash = SecureHeaders.header_hash_for(@request)
+        expect(hash[CSP::HEADER_NAME]).to eq("default-src https:; script-src 'self'")
+        expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::SAMEORIGIN)
       end
-      hash = SecureHeaders::header_hash
-      expect(hash['Content-Security-Policy-Report-Only']).to be_nil
-      expect(hash['Content-Security-Policy']).to be_nil
-    end
-    it "produces a hash with a mix of config values, override values, and default values" do
-      ::SecureHeaders::Configuration.default do |config|
-        config.hsts = { :max_age => '123456'}
-        config.hpkp = {
-          :enforce => true,
-          :max_age => 1000000,
-          :include_subdomains => true,
-          :report_uri => '//example.com/uri-directive',
-          :pins => [
-            {:sha256 => 'abc'},
-            {:sha256 => '123'}
-          ]
-        }
+      it "produces a hash of headers with default config" do
+        Configuration.default
+        hash = SecureHeaders.header_hash_for(@request)
+        expect_default_values(hash)
       end
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
-      ::SecureHeaders::Configuration.default do |config|
-        config.hsts = nil
-        config.hpkp = nil
+      it "does not set the HSTS header if request is over HTTP" do
+        plaintext_request = Rack::Request.new({})
+        Configuration.default do |config|
+          config.hsts = "max-age=123456"
+        end
+        expect(SecureHeaders.header_hash_for(plaintext_request)[StrictTransportSecurity::HEADER_NAME]).to be_nil
       end
-      expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
-      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-      expect(hash[HSTS_HEADER_NAME]).to eq("max-age=123456")
-      expect(hash[HPKP_HEADER_NAME]).to eq(%{max-age=1000000; pin-sha256="abc"; pin-sha256="123"; report-uri="//example.com/uri-directive"; includeSubDomains})
-    end
-    it "produces a hash of headers with default config" do
-      hash = SecureHeaders::header_hash
-      expect(hash['Content-Security-Policy-Report-Only']).to eq(SecureHeaders::ContentSecurityPolicy::Constants::DEFAULT_CSP_HEADER)
-      expect_default_values(hash)
-    end
-  end
-  describe "#set_x_frame_options_header" do
-    it "sets the X-Frame-Options header" do
-      should_assign_header(XFO_HEADER_NAME, SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-      subject.set_x_frame_options_header
-    end
-    it "allows a custom X-Frame-Options header" do
-      should_assign_header(XFO_HEADER_NAME, "DENY")
-      subject.set_x_frame_options_header(:value => 'DENY')
-    end
-  end
-  describe "#set_x_download_options_header" do
-    it "sets the X-Download-Options header" do
-      should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-      subject.set_x_download_options_header
-    end
-    it "allows a custom X-Download-Options header" do
-      should_assign_header(XDO_HEADER_NAME, "noopen")
-      subject.set_x_download_options_header(:value => 'noopen')
-    end
-  end
-  describe "#set_strict_transport_security" do
-    it "sets the Strict-Transport-Security header" do
-      should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-      subject.set_hsts_header
-    end
-    it "allows you to specific a custom max-age value" do
-      should_assign_header(HSTS_HEADER_NAME, 'max-age=1234')
-      subject.set_hsts_header(:max_age => 1234)
-    end
-    it "allows you to specify includeSubdomains" do
-      should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
-      subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
-    end
-    it "allows you to specify preload" do
-      should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
-      subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
-    end
-  end
-  describe "#set_public_key_pins" do
-    it "sets the Public-Key-Pins header" do
-      should_assign_header(HPKP_HEADER_NAME + "-Report-Only", "max-age=1234")
-      subject.set_hpkp_header(:max_age => 1234)
-    end
-    it "allows you to enforce public key pinning" do
-      should_assign_header(HPKP_HEADER_NAME, "max-age=1234")
-      subject.set_hpkp_header(:max_age => 1234, :enforce => true)
-    end
+      it "does not set the HPKP header if request is over HTTP" do
+        plaintext_request = Rack::Request.new({})
+        Configuration.default do |config|
+          config.hpkp = example_hpkp_config
+        end
-    it "allows you to specific a custom max-age value" do
-      should_assign_header(HPKP_HEADER_NAME + "-Report-Only", 'max-age=1234')
-      subject.set_hpkp_header(:max_age => 1234)
-    end
+        expect(SecureHeaders.header_hash_for(plaintext_request)[PublicKeyPins::HEADER_NAME]).to be_nil
+      end
-    it "allows you to specify includeSubdomains" do
-      should_assign_header(HPKP_HEADER_NAME, "max-age=1234; includeSubDomains")
-      subject.set_hpkp_header(:max_age => 1234, :include_subdomains => true, :enforce => true)
-    end
+      context "content security policy" do
+        it "appends a value to csp directive" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              script_src: %w(mycdn.com 'unsafe-inline')
+            }
+          end
+          SecureHeaders.append_content_security_policy_directives(@request, script_src: %w(anothercdn.com))
+          hash = SecureHeaders.header_hash_for(@request)
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
+        end
-    it "allows you to specify a report-uri" do
-      should_assign_header(HPKP_HEADER_NAME, "max-age=1234; report-uri=\"https://foobar.com\"")
-      subject.set_hpkp_header(:max_age => 1234, :report_uri => "https://foobar.com", :enforce => true)
-    end
+        it "overrides individual directives" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self')
+            }
+          end
+          SecureHeaders.override_content_security_policy_directives(@request, default_src: %w('none'))
+          hash = SecureHeaders.header_hash_for(@request)
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'none'")
+        end
-    it "allows you to specify a report-uri with app_name" do
-      should_assign_header(HPKP_HEADER_NAME, "max-age=1234; report-uri=\"https://foobar.com?enforce=true&app_name=my_app\"")
-      subject.set_hpkp_header(:max_age => 1234, :report_uri => "https://foobar.com", :app_name => "my_app", :tag_report_uri => true, :enforce => true)
-    end
-  end
+        it "overrides non-existant directives" do
+          Configuration.default
+          SecureHeaders.override_content_security_policy_directives(@request, img_src: [ContentSecurityPolicy::DATA_PROTOCOL])
+          hash = SecureHeaders.header_hash_for(@request)
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src https:; img-src data:")
+        end
-  describe "#set_x_xss_protection" do
-    it "sets the X-XSS-Protection header" do
-      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-      subject.set_x_xss_protection_header
-    end
+        it "does not append a nonce when the browser does not support it" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              script_src: %w(mycdn.com 'unsafe-inline'),
+              style_src: %w('self')
+            }
+          end
+          request = Rack::Request.new(@request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
+          nonce = SecureHeaders.content_security_policy_script_nonce(request)
+          hash = SecureHeaders.header_hash_for(request)
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
+        end
-    it "sets a custom X-XSS-Protection header" do
-      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
-      subject.set_x_xss_protection_header("0")
+        it "appends a nonce to the script-src when used" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              script_src: %w(mycdn.com),
+              style_src: %w('self')
+            }
+          end
+          request = Rack::Request.new(@request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
+          nonce = SecureHeaders.content_security_policy_script_nonce(request)
+          # simulate the nonce being used multiple times in a request:
+          SecureHeaders.content_security_policy_script_nonce(request)
+          SecureHeaders.content_security_policy_script_nonce(request)
+          SecureHeaders.content_security_policy_script_nonce(request)
+          hash = SecureHeaders.header_hash_for(request)
+          expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
+        end
+      end
     end
-    it "sets the block flag" do
-      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
-      subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
-    end
-  end
+    context "validation" do
+      it "validates your hsts config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.hsts = 'lol'
+          end
+        end.to raise_error(STSConfigError)
+      end
-  describe "#set_x_content_type_options" do
-    USER_AGENTS.each do |useragent|
-      context "when using #{useragent}" do
-        before(:each) do
-          stub_user_agent(USER_AGENTS[useragent])
-        end
+      it "validates your csp config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.csp = { CSP::DEFAULT_SRC => '123456' }
+          end
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
-        it "sets the X-Content-Type-Options header" do
-          should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-          subject.set_x_content_type_options_header
-        end
+      it "raises errors for unknown directives" do
+        expect do
+          Configuration.default do |config|
+            config.csp = { made_up_directive: '123456' }
+          end
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
-        it "lets you override X-Content-Type-Options" do
-          should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
-          subject.set_x_content_type_options_header(:value => 'nosniff')
-        end
+      it "validates your xfo config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_frame_options = "NOPE"
+          end
+        end.to raise_error(XFOConfigError)
       end
-    end
-  end
-  describe "#set_csp_header" do
-    context "when using Firefox" do
-      it "sets CSP headers" do
-        stub_user_agent(USER_AGENTS[:firefox])
-        should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
-        subject.set_csp_header
+      it "validates your xcto config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_content_type_options = "lol"
+          end
+        end.to raise_error(XContentTypeOptionsConfigError)
       end
-    end
-    context "when using Chrome" do
-      it "sets default CSP header" do
-        stub_user_agent(USER_AGENTS[:chrome])
-        should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
-        subject.set_csp_header
+      it "validates your x_xss config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_xss_protection = "lol"
+          end
+        end.to raise_error(XXssProtectionConfigError)
       end
-    end
-    context "when using a browser besides chrome/firefox" do
-      it "sets the CSP header" do
-        stub_user_agent(USER_AGENTS[:opera])
-        should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
-        subject.set_csp_header
+      it "validates your xdo config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_download_options = "lol"
+          end
+        end.to raise_error(XDOConfigError)
       end
-    end
-  end
-  describe "#set_x_permitted_cross_domain_policies_header" do
-    it "sets the X-Permitted-Cross-Domain-Policies header" do
-      should_assign_header(XPCDP_HEADER_NAME, SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
-      subject.set_x_permitted_cross_domain_policies_header
-    end
+      it "validates your x_permitted_cross_domain_policies config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_permitted_cross_domain_policies = "lol"
+          end
+        end.to raise_error(XPCDPConfigError)
+      end
-    it "allows a custom X-Permitted-Cross-Domain-Policies header" do
-      should_assign_header(XPCDP_HEADER_NAME, "master-only")
-      subject.set_x_permitted_cross_domain_policies_header(:value => 'master-only')
+      it "validates your hpkp config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.hpkp = "lol"
+          end
+        end.to raise_error(PublicKeyPinsConfigError)
+      end
     end
   end
 end

data/spec/spec_helper.rb CHANGED Viewed

@@ -1,44 +1,44 @@
 require 'rubygems'
 require 'rspec'
+require 'rack'
+require 'pry-nav'
 require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
-begin
-  require 'coveralls'
-  Coveralls.wear!
-rescue LoadError
-  # damn you 1.8.7
-end
-include ::SecureHeaders::PublicKeyPins::Constants
-include ::SecureHeaders::StrictTransportSecurity::Constants
-include ::SecureHeaders::ContentSecurityPolicy::Constants
-include ::SecureHeaders::XFrameOptions::Constants
-include ::SecureHeaders::XXssProtection::Constants
-include ::SecureHeaders::XContentTypeOptions::Constants
-include ::SecureHeaders::XDownloadOptions::Constants
-include ::SecureHeaders::XPermittedCrossDomainPolicies::Constants
+ENV["RAILS_ENV"] = "test"
 USER_AGENTS = {
-  :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
-  :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
-  :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
-  :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
-  :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
-  :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
-  :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
-  :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
-  :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
+  firefox: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
+  chrome: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
+  ie: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
+  opera: 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
+  ios5: "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
+  ios6: "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
+  safari5: "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
+  safari5_1: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
+  safari6: "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
 }
-class DummyClass
-  include ::SecureHeaders
+def expect_default_values(hash)
+  expect(hash[SecureHeaders::CSP::HEADER_NAME]).to eq(SecureHeaders::CSP::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XFrameOptions::HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XDownloadOptions::HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::StrictTransportSecurity::HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XXssProtection::HEADER_NAME]).to eq(SecureHeaders::XXssProtection::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
 end
-def should_assign_header name, value
-  expect(response.headers).to receive(:[]=).with(name, value)
+module SecureHeaders
+  class Configuration
+    class << self
+      def clear_configurations
+        @configurations = nil
+      end
+    end
+  end
 end
-def should_not_assign_header name
-  expect(response.headers).not_to receive(:[]=).with(name, anything)
+def reset_config
+  SecureHeaders::Configuration.clear_configurations
 end