9893ead689
- Add helmet middleware for secure HTTP response headers - Add express-rate-limit with three limiters: - authLimiter: per-IP, 20 req/15min on /api/auth/* - gameLimiter: per-user, 150 req/15min (not yet wired) - lobbyLimiter: per-user, 20 req/15min (not yet wired) - Set trust proxy for correct client IP behind Caddy - Add tests for all three limiters and helmet headers
39 lines
1.3 KiB
TypeScript
39 lines
1.3 KiB
TypeScript
import request from "supertest";
|
|
import { describe, it, expect } from "vitest";
|
|
import { createApp } from "./app.js";
|
|
|
|
const app = createApp();
|
|
|
|
describe("security headers (helmet)", () => {
|
|
it("sets X-Content-Type-Options to nosniff", async () => {
|
|
const res = await request(app).get("/api/v1/health");
|
|
expect(res.headers["x-content-type-options"]).toBe("nosniff");
|
|
});
|
|
|
|
it("sets X-Frame-Options to SAMEORIGIN", async () => {
|
|
const res = await request(app).get("/api/v1/health");
|
|
expect(res.headers["x-frame-options"]).toBe("SAMEORIGIN");
|
|
});
|
|
|
|
it("removes X-Powered-By header", async () => {
|
|
const res = await request(app).get("/api/v1/health");
|
|
expect(res.headers).not.toHaveProperty("x-powered-by");
|
|
});
|
|
|
|
it("sets Content-Security-Policy", async () => {
|
|
const res = await request(app).get("/api/v1/health");
|
|
expect(res.headers).toHaveProperty("content-security-policy");
|
|
});
|
|
});
|
|
|
|
describe("auth rate limiting", () => {
|
|
it("returns 429 after exceeding the auth limit", async () => {
|
|
const testApp = createApp();
|
|
const limit = 20;
|
|
for (let i = 0; i < limit; i++) {
|
|
await request(testApp).post("/api/auth/sign-in");
|
|
}
|
|
const res = await request(testApp).post("/api/auth/sign-in");
|
|
expect(res.status).toBe(429);
|
|
});
|
|
});
|