RubyGems - secure_headers - Versions diffs - 2.5.3 → 3.0.0.pre - Mend

secure_headers 2.5.3 → 3.0.0.pre

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (125) hide show

data/spec/lib/secure_headers_spec.rb CHANGED Viewed

@@ -1,378 +1,240 @@
 require 'spec_helper'
-describe SecureHeaders do
-  subject {DummyClass.new}
-  let(:headers) {double}
-  let(:response) {double(:headers => headers)}
-  let(:max_age) {99}
-  let(:request) {double(:ssl? => true, :url => 'https://example.com')}
-  before(:each) do
-    reset_config
-    stub_user_agent(nil)
-    allow(headers).to receive(:[])
-    allow(subject).to receive(:response).and_return(response)
-    allow(subject).to receive(:request).and_return(request)
-  end
-  def stub_user_agent val
-    allow(request).to receive_message_chain(:env, :[]).and_return(val)
-  end
-  def reset_config
-    ::SecureHeaders::Configuration.default do |config|
-      config.hpkp = nil
-      config.hsts = nil
-      config.x_frame_options = nil
-      config.x_content_type_options = nil
-      config.x_xss_protection = nil
-      config.csp = nil
-      config.x_download_options = nil
-      config.x_permitted_cross_domain_policies = nil
-    end
-  end
-  def set_security_headers(subject)
-    subject.set_csp_header
-    subject.set_hpkp_header
-    subject.set_hsts_header
-    subject.set_x_frame_options_header
-    subject.set_x_content_type_options_header
-    subject.set_x_xss_protection_header
-    subject.set_x_download_options_header
-    subject.set_x_permitted_cross_domain_policies_header
-  end
-  describe "#set_header" do
-    it "accepts name/value pairs" do
-      should_assign_header("X-Hipster-Ipsum", "kombucha")
-      subject.send(:set_header, "X-Hipster-Ipsum", "kombucha")
-    end
-    it "accepts header objects" do
-      should_assign_header("Strict-Transport-Security", SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-      subject.send(:set_header, SecureHeaders::StrictTransportSecurity.new)
-    end
-  end
-  describe "#set_security_headers" do
-    USER_AGENTS.each do |name, useragent|
-      it "sets all default headers for #{name} (smoke test)" do
-        stub_user_agent(useragent)
-        number_of_headers = 7
-        expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
-        subject.set_csp_header
-        subject.set_x_frame_options_header
-        subject.set_hsts_header
-        subject.set_hpkp_header
-        subject.set_x_xss_protection_header
-        subject.set_x_content_type_options_header
-        subject.set_x_download_options_header
-        subject.set_x_permitted_cross_domain_policies_header
+module SecureHeaders
+  describe SecureHeaders do
+    example_hpkp_config = {
+      max_age: 1_000_000,
+      include_subdomains: true,
+      report_uri: '//example.com/uri-directive',
+      pins: [
+        { sha256: 'abc' },
+        { sha256: '123' }
+      ]
+    }
+    example_hpkp_config_value = %(max-age=1000000; pin-sha256="abc"; pin-sha256="123"; report-uri="//example.com/uri-directive"; includeSubDomains)
+    before(:each) do
+      reset_config
+      @request = Rack::Request.new("HTTP_X_FORWARDED_SSL" => "on")
+    end
+    it "raises a NotYetConfiguredError if default has not been set" do
+      expect do
+        SecureHeaders.header_hash_for(@request)
+      end.to raise_error(Configuration::NotYetConfiguredError)
+    end
+    it "raises a NotYetConfiguredError if trying to opt-out of unconfigured headers" do
+      expect do
+        SecureHeaders.opt_out_of_header(@request, CSP::CONFIG_KEY)
+      end.to raise_error(Configuration::NotYetConfiguredError)
+    end
+    describe "#header_hash_for" do
+      it "allows you to opt out of individual headers" do
+        Configuration.default
+        SecureHeaders.opt_out_of_header(@request, CSP::CONFIG_KEY)
+        hash = SecureHeaders.header_hash_for(@request)
+        expect(hash['Content-Security-Policy-Report-Only']).to be_nil
+        expect(hash['Content-Security-Policy']).to be_nil
       end
-    end
-    it "does not set the X-Content-Type-Options header if disabled" do
-      stub_user_agent(USER_AGENTS[:ie])
-      should_not_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME)
-      subject.set_x_content_type_options_header(false)
-    end
-    it "does not set the X-XSS-Protection header if disabled" do
-      should_not_assign_header(X_XSS_PROTECTION_HEADER_NAME)
-      subject.set_x_xss_protection_header(false)
-    end
-    it "does not set the X-Download-Options header if disabled" do
-      should_not_assign_header(XDO_HEADER_NAME)
-      subject.set_x_download_options_header(false)
-    end
-    it "does not set the X-Frame-Options header if disabled" do
-      should_not_assign_header(XFO_HEADER_NAME)
-      subject.set_x_frame_options_header(false)
-    end
-    it "does not set the X-Permitted-Cross-Domain-Policies header if disabled" do
-      should_not_assign_header(XPCDP_HEADER_NAME)
-      subject.set_x_permitted_cross_domain_policies_header(false)
-    end
-    it "does not set the HSTS header if disabled" do
-      should_not_assign_header(HSTS_HEADER_NAME)
-      subject.set_hsts_header(false)
-    end
-    it "does not set the HSTS header if request is over HTTP" do
-      allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
-      should_not_assign_header(HSTS_HEADER_NAME)
-      subject.set_hsts_header({:include_subdomains => true})
-    end
-    it "does not set the HPKP header if disabled" do
-      should_not_assign_header(HPKP_HEADER_NAME)
-      subject.set_hpkp_header
-    end
-    it "does not set the HPKP header if request is over HTTP" do
-      allow(subject).to receive_message_chain(:request, :ssl?).and_return(false)
-      should_not_assign_header(HPKP_HEADER_NAME)
-      subject.set_hpkp_header(:max_age => 1234)
-    end
-    it "does not set the CSP header if disabled" do
-      stub_user_agent(USER_AGENTS[:chrome])
-      should_not_assign_header(HEADER_NAME)
-      subject.set_csp_header(false)
-    end
-    it "saves the options to the env when using script hashes" do
-      opts = {
-        :default_src => "'self'",
-        :script_hash_middleware => true
-      }
-      stub_user_agent(USER_AGENTS[:chrome])
-      expect(SecureHeaders::ContentSecurityPolicy).to receive(:add_to_env)
-      subject.set_csp_header(opts)
-    end
-    context "when disabled by configuration settings" do
-      it "does not set any headers when disabled" do
-        ::SecureHeaders::Configuration.default do |config|
-          config.hsts = false
-          config.hpkp = false
-          config.x_frame_options = false
-          config.x_content_type_options = false
-          config.x_xss_protection = false
-          config.csp = false
-          config.x_download_options = false
-          config.x_permitted_cross_domain_policies = false
+      it "allows you to opt out entirely" do
+        Configuration.default
+        SecureHeaders.opt_out_of_all_protection(@request)
+        hash = SecureHeaders.header_hash_for(@request)
+        ALL_HEADER_CLASSES.each do |klass|
+          expect(hash[klass::CONFIG_KEY]).to be_nil
         end
-        expect(subject).not_to receive(:set_header)
-        set_security_headers(subject)
-        reset_config
       end
-    end
-  end
-  describe "SecureHeaders#header_hash" do
-    def expect_default_values(hash)
-      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-      expect(hash[XDO_HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-      expect(hash[HSTS_HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-      expect(hash[X_XSS_PROTECTION_HEADER_NAME]).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-      expect(hash[X_CONTENT_TYPE_OPTIONS_HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-      expect(hash[XPCDP_HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
-    end
+      it "allows you to override X-Frame-Options settings" do
+        Configuration.default
+        SecureHeaders.override_x_frame_options(@request, XFrameOptions::DENY)
+        hash = SecureHeaders.header_hash_for(@request)
+        expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::DENY)
+      end
-    it "produces a hash of headers given a hash as config" do
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
-      expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
-      expect_default_values(hash)
-    end
+      it "allows you to override opting out" do
+        Configuration.default do |config|
+          config.x_frame_options = OPT_OUT
+          config.csp = OPT_OUT
+        end
-    it "allows opting out" do
-      hash = SecureHeaders::header_hash(:csp => false, :hpkp => false)
-      expect(hash['Content-Security-Policy-Report-Only']).to be_nil
-      expect(hash['Content-Security-Policy']).to be_nil
-    end
+        SecureHeaders.override_x_frame_options(@request, XFrameOptions::SAMEORIGIN)
+        SecureHeaders.override_content_security_policy_directives(@request, default_src: %w(https:), script_src: %w('self'))
-    it "allows opting out with config" do
-      ::SecureHeaders::Configuration.default do |config|
-        config.hsts = false
-        config.csp = false
+        hash = SecureHeaders.header_hash_for(@request)
+        expect(hash[CSP::HEADER_NAME]).to eq("default-src https:; script-src 'self'")
+        expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::SAMEORIGIN)
       end
-      hash = SecureHeaders::header_hash
-      expect(hash['Content-Security-Policy-Report-Only']).to be_nil
-      expect(hash['Content-Security-Policy']).to be_nil
-    end
-    it "produces a hash with a mix of config values, override values, and default values" do
-      ::SecureHeaders::Configuration.default do |config|
-        config.hsts = { :max_age => '123456'}
-        config.hpkp = {
-          :enforce => true,
-          :max_age => 1000000,
-          :include_subdomains => true,
-          :report_uri => '//example.com/uri-directive',
-          :pins => [
-            {:sha256 => 'abc'},
-            {:sha256 => '123'}
-          ]
-        }
+      it "produces a hash of headers with default config" do
+        Configuration.default
+        hash = SecureHeaders.header_hash_for(@request)
+        expect_default_values(hash)
       end
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
-      ::SecureHeaders::Configuration.default do |config|
-        config.hsts = nil
-        config.hpkp = nil
+      it "does not set the HSTS header if request is over HTTP" do
+        plaintext_request = Rack::Request.new({})
+        Configuration.default do |config|
+          config.hsts = "max-age=123456"
+        end
+        expect(SecureHeaders.header_hash_for(plaintext_request)[StrictTransportSecurity::HEADER_NAME]).to be_nil
       end
-      expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
-      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-      expect(hash[HSTS_HEADER_NAME]).to eq("max-age=123456")
-      expect(hash[HPKP_HEADER_NAME]).to eq(%{max-age=1000000; pin-sha256="abc"; pin-sha256="123"; report-uri="//example.com/uri-directive"; includeSubDomains})
-    end
-    it "produces a hash of headers with default config" do
-      hash = SecureHeaders::header_hash
-      expect(hash['Content-Security-Policy-Report-Only']).to eq(SecureHeaders::ContentSecurityPolicy::Constants::DEFAULT_CSP_HEADER)
-      expect_default_values(hash)
-    end
-  end
-  describe "#set_x_frame_options_header" do
-    it "sets the X-Frame-Options header" do
-      should_assign_header(XFO_HEADER_NAME, SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-      subject.set_x_frame_options_header
-    end
-    it "allows a custom X-Frame-Options header" do
-      should_assign_header(XFO_HEADER_NAME, "DENY")
-      subject.set_x_frame_options_header(:value => 'DENY')
-    end
-  end
-  describe "#set_x_download_options_header" do
-    it "sets the X-Download-Options header" do
-      should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-      subject.set_x_download_options_header
-    end
-    it "allows a custom X-Download-Options header" do
-      should_assign_header(XDO_HEADER_NAME, "noopen")
-      subject.set_x_download_options_header(:value => 'noopen')
-    end
-  end
-  describe "#set_strict_transport_security" do
-    it "sets the Strict-Transport-Security header" do
-      should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-      subject.set_hsts_header
-    end
-    it "allows you to specific a custom max-age value" do
-      should_assign_header(HSTS_HEADER_NAME, 'max-age=1234')
-      subject.set_hsts_header(:max_age => 1234)
-    end
-    it "allows you to specify includeSubdomains" do
-      should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
-      subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
-    end
-    it "allows you to specify preload" do
-      should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
-      subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
-    end
-  end
-  describe "#set_public_key_pins" do
-    it "sets the Public-Key-Pins header" do
-      should_assign_header(HPKP_HEADER_NAME + "-Report-Only", "max-age=1234")
-      subject.set_hpkp_header(:max_age => 1234)
-    end
-    it "allows you to enforce public key pinning" do
-      should_assign_header(HPKP_HEADER_NAME, "max-age=1234")
-      subject.set_hpkp_header(:max_age => 1234, :enforce => true)
-    end
+      it "does not set the HPKP header if request is over HTTP" do
+        plaintext_request = Rack::Request.new({})
+        Configuration.default do |config|
+          config.hpkp = example_hpkp_config
+        end
-    it "allows you to specific a custom max-age value" do
-      should_assign_header(HPKP_HEADER_NAME + "-Report-Only", 'max-age=1234')
-      subject.set_hpkp_header(:max_age => 1234)
-    end
+        expect(SecureHeaders.header_hash_for(plaintext_request)[PublicKeyPins::HEADER_NAME]).to be_nil
+      end
-    it "allows you to specify includeSubdomains" do
-      should_assign_header(HPKP_HEADER_NAME, "max-age=1234; includeSubDomains")
-      subject.set_hpkp_header(:max_age => 1234, :include_subdomains => true, :enforce => true)
-    end
+      context "content security policy" do
+        it "appends a value to csp directive" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              script_src: %w(mycdn.com 'unsafe-inline')
+            }
+          end
+          SecureHeaders.append_content_security_policy_directives(@request, script_src: %w(anothercdn.com))
+          hash = SecureHeaders.header_hash_for(@request)
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
+        end
-    it "allows you to specify a report-uri" do
-      should_assign_header(HPKP_HEADER_NAME, "max-age=1234; report-uri=\"https://foobar.com\"")
-      subject.set_hpkp_header(:max_age => 1234, :report_uri => "https://foobar.com", :enforce => true)
-    end
+        it "overrides individual directives" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self')
+            }
+          end
+          SecureHeaders.override_content_security_policy_directives(@request, default_src: %w('none'))
+          hash = SecureHeaders.header_hash_for(@request)
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'none'")
+        end
-    it "allows you to specify a report-uri with app_name" do
-      should_assign_header(HPKP_HEADER_NAME, "max-age=1234; report-uri=\"https://foobar.com?enforce=true&app_name=my_app\"")
-      subject.set_hpkp_header(:max_age => 1234, :report_uri => "https://foobar.com", :app_name => "my_app", :tag_report_uri => true, :enforce => true)
-    end
-  end
+        it "overrides non-existant directives" do
+          Configuration.default
+          SecureHeaders.override_content_security_policy_directives(@request, img_src: [ContentSecurityPolicy::DATA_PROTOCOL])
+          hash = SecureHeaders.header_hash_for(@request)
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src https:; img-src data:")
+        end
-  describe "#set_x_xss_protection" do
-    it "sets the X-XSS-Protection header" do
-      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-      subject.set_x_xss_protection_header
-    end
+        it "does not append a nonce when the browser does not support it" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              script_src: %w(mycdn.com 'unsafe-inline'),
+              style_src: %w('self')
+            }
+          end
+          request = Rack::Request.new(@request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
+          nonce = SecureHeaders.content_security_policy_script_nonce(request)
+          hash = SecureHeaders.header_hash_for(request)
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
+        end
-    it "sets a custom X-XSS-Protection header" do
-      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
-      subject.set_x_xss_protection_header("0")
+        it "appends a nonce to the script-src when used" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              script_src: %w(mycdn.com),
+              style_src: %w('self')
+            }
+          end
+          request = Rack::Request.new(@request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
+          nonce = SecureHeaders.content_security_policy_script_nonce(request)
+          # simulate the nonce being used multiple times in a request:
+          SecureHeaders.content_security_policy_script_nonce(request)
+          SecureHeaders.content_security_policy_script_nonce(request)
+          SecureHeaders.content_security_policy_script_nonce(request)
+          hash = SecureHeaders.header_hash_for(request)
+          expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
+        end
+      end
     end
-    it "sets the block flag" do
-      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
-      subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
-    end
-  end
+    context "validation" do
+      it "validates your hsts config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.hsts = 'lol'
+          end
+        end.to raise_error(STSConfigError)
+      end
-  describe "#set_x_content_type_options" do
-    USER_AGENTS.each do |useragent|
-      context "when using #{useragent}" do
-        before(:each) do
-          stub_user_agent(USER_AGENTS[useragent])
-        end
+      it "validates your csp config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.csp = { CSP::DEFAULT_SRC => '123456' }
+          end
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
-        it "sets the X-Content-Type-Options header" do
-          should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-          subject.set_x_content_type_options_header
-        end
+      it "raises errors for unknown directives" do
+        expect do
+          Configuration.default do |config|
+            config.csp = { made_up_directive: '123456' }
+          end
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
-        it "lets you override X-Content-Type-Options" do
-          should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
-          subject.set_x_content_type_options_header(:value => 'nosniff')
-        end
+      it "validates your xfo config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_frame_options = "NOPE"
+          end
+        end.to raise_error(XFOConfigError)
       end
-    end
-  end
-  describe "#set_csp_header" do
-    context "when using Firefox" do
-      it "sets CSP headers" do
-        stub_user_agent(USER_AGENTS[:firefox])
-        should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
-        subject.set_csp_header
+      it "validates your xcto config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_content_type_options = "lol"
+          end
+        end.to raise_error(XContentTypeOptionsConfigError)
       end
-    end
-    context "when using Chrome" do
-      it "sets default CSP header" do
-        stub_user_agent(USER_AGENTS[:chrome])
-        should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
-        subject.set_csp_header
+      it "validates your x_xss config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_xss_protection = "lol"
+          end
+        end.to raise_error(XXssProtectionConfigError)
       end
-    end
-    context "when using a browser besides chrome/firefox" do
-      it "sets the CSP header" do
-        stub_user_agent(USER_AGENTS[:opera])
-        should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
-        subject.set_csp_header
+      it "validates your xdo config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_download_options = "lol"
+          end
+        end.to raise_error(XDOConfigError)
       end
-    end
-  end
-  describe "#set_x_permitted_cross_domain_policies_header" do
-    it "sets the X-Permitted-Cross-Domain-Policies header" do
-      should_assign_header(XPCDP_HEADER_NAME, SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
-      subject.set_x_permitted_cross_domain_policies_header
-    end
+      it "validates your x_permitted_cross_domain_policies config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.x_permitted_cross_domain_policies = "lol"
+          end
+        end.to raise_error(XPCDPConfigError)
+      end
-    it "allows a custom X-Permitted-Cross-Domain-Policies header" do
-      should_assign_header(XPCDP_HEADER_NAME, "master-only")
-      subject.set_x_permitted_cross_domain_policies_header(:value => 'master-only')
+      it "validates your hpkp config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.hpkp = "lol"
+          end
+        end.to raise_error(PublicKeyPinsConfigError)
+      end
     end
   end
 end

data/spec/spec_helper.rb CHANGED Viewed

@@ -1,44 +1,44 @@
 require 'rubygems'
 require 'rspec'
+require 'rack'
+require 'pry-nav'
 require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
-begin
-  require 'coveralls'
-  Coveralls.wear!
-rescue LoadError
-  # damn you 1.8.7
-end
-include ::SecureHeaders::PublicKeyPins::Constants
-include ::SecureHeaders::StrictTransportSecurity::Constants
-include ::SecureHeaders::ContentSecurityPolicy::Constants
-include ::SecureHeaders::XFrameOptions::Constants
-include ::SecureHeaders::XXssProtection::Constants
-include ::SecureHeaders::XContentTypeOptions::Constants
-include ::SecureHeaders::XDownloadOptions::Constants
-include ::SecureHeaders::XPermittedCrossDomainPolicies::Constants
+ENV["RAILS_ENV"] = "test"
 USER_AGENTS = {
-  :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
-  :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
-  :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
-  :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
-  :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
-  :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
-  :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
-  :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
-  :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
+  firefox: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
+  chrome: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
+  ie: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
+  opera: 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
+  ios5: "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
+  ios6: "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
+  safari5: "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
+  safari5_1: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
+  safari6: "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
 }
-class DummyClass
-  include ::SecureHeaders
+def expect_default_values(hash)
+  expect(hash[SecureHeaders::CSP::HEADER_NAME]).to eq(SecureHeaders::CSP::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XFrameOptions::HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XDownloadOptions::HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::StrictTransportSecurity::HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XXssProtection::HEADER_NAME]).to eq(SecureHeaders::XXssProtection::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
 end
-def should_assign_header name, value
-  expect(response.headers).to receive(:[]=).with(name, value)
+module SecureHeaders
+  class Configuration
+    class << self
+      def clear_configurations
+        @configurations = nil
+      end
+    end
+  end
 end
-def should_not_assign_header name
-  expect(response.headers).not_to receive(:[]=).with(name, anything)
+def reset_config
+  SecureHeaders::Configuration.clear_configurations
 end