def test_preloaded(self):
self.reqs['responses']['https'].url = 'https://bugzilla.mozilla.org/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# Cloudflare doesn't include subdomains
self.reqs['responses']['https'].url = 'https://cloudflare.com/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-preloaded', result['result'])
self.assertFalse(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# Android.com is preloaded, but only for HPKP, not HSTS
self.reqs['responses']['https'].url = 'https://android.com/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-not-implemented', result['result'])
self.assertFalse(result['includeSubDomains'])
self.assertFalse(result['pass'])
self.assertFalse(result['preloaded'])
def test_preloaded(self):
self.reqs['responses']['https'].url = 'https://bugzilla.mozilla.org/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# Cloudflare doesn't include subdomains
self.reqs['responses']['https'].url = 'https://cloudflare.com/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-preloaded', result['result'])
self.assertFalse(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# Android.com is preloaded, but only for HPKP, not HSTS
self.reqs['responses']['https'].url = 'https://android.com/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-not-implemented', result['result'])
self.assertFalse(result['includeSubDomains'])
self.assertFalse(result['pass'])
self.assertFalse(result['preloaded'])
def test_preloaded(self):
self.reqs['responses']['https'].url = 'https://bugzilla.mozilla.org/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# Facebook doesn't include subdomains
self.reqs['responses']['https'].url = 'https://facebook.com/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-preloaded', result['result'])
self.assertFalse(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# dropboxusercontent.com is preloaded, but only for HPKP, not HSTS
self.reqs['responses']['https'].url = 'https://dropboxusercontent.com/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-not-implemented', result['result'])
self.assertFalse(result['includeSubDomains'])
self.assertFalse(result['pass'])
self.assertFalse(result['preloaded'])
def test_preloaded(self):
self.reqs['responses']['https'].url = 'https://bugzilla.mozilla.org/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# Facebook doesn't include subdomains
self.reqs['responses']['https'].url = 'https://facebook.com/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-preloaded', result['result'])
self.assertFalse(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# dropboxusercontent.com is preloaded, but only for HPKP, not HSTS
self.reqs['responses']['https'].url = 'https://dropboxusercontent.com/'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-not-implemented', result['result'])
self.assertFalse(result['includeSubDomains'])
self.assertFalse(result['pass'])
self.assertFalse(result['preloaded'])
def test_max_age_too_low(self):
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'max-age=86400'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-implemented-max-age-less-than-six-months', result['result'])
self.assertFalse(result['pass'])
def test_header_invalid(self):
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'includeSubDomains; preload'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-header-invalid', result['result'])
self.assertFalse(result['pass'])
# If the header is set twice
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \
'max-age=15768000; includeSubDomains, max-age=15768000; includeSubDomains'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-header-invalid', result['result'])
self.assertFalse(result['pass'])
def test_header_invalid(self):
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'includeSubDomains; preload'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-header-invalid', result['result'])
self.assertFalse(result['pass'])
# If the header is set twice
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \
'max-age=15768000; includeSubDomains, max-age=15768000; includeSubDomains'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-header-invalid', result['result'])
self.assertFalse(result['pass'])
def test_max_age_too_low(self):
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'max-age=86400'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-implemented-max-age-less-than-six-months', result['result'])
self.assertFalse(result['pass'])
def test_invalid_cert(self):
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \
'max-age=15768000; includeSubDomains; preload'
self.reqs['responses']['https'].verified = False
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-invalid-cert', result['result'])
self.assertFalse(result['pass'])
def test_no_https(self):
self.reqs['responses']['auto'].headers['Strict-Transport-Security'] = 'max-age=15768000'
self.reqs['responses']['http'].headers['Strict-Transport-Security'] = 'max-age=15768000'
self.reqs['responses']['https'] = None
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-not-implemented-no-https', result['result'])
self.assertFalse(result['pass'])
def test_no_https(self):
self.reqs['responses']['auto'].headers['Strict-Transport-Security'] = 'max-age=15768000'
self.reqs['responses']['http'].headers['Strict-Transport-Security'] = 'max-age=15768000'
self.reqs['responses']['https'] = None
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-not-implemented-no-https', result['result'])
self.assertFalse(result['pass'])
def test_invalid_cert(self):
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \
'max-age=15768000; includeSubDomains; preload'
self.reqs['responses']['https'].verified = False
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-invalid-cert', result['result'])
self.assertFalse(result['pass'])
def test_implemented(self):
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \
'max-age=15768000; includeSubDomains; preload'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-implemented-max-age-at-least-six-months', result['result'])
self.assertEquals(result['max-age'], 15768000)
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['preload'])
self.assertTrue(result['pass'])
def test_implemented(self):
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \
'max-age=15768000; includeSubDomains; preload'
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-implemented-max-age-at-least-six-months', result['result'])
self.assertEquals(result['max-age'], 15768000)
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['preload'])
self.assertTrue(result['pass'])
def test_missing(self):
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-not-implemented', result['result'])
self.assertFalse(result['pass'])
def test_missing(self):
result = strict_transport_security(self.reqs)
self.assertEquals('hsts-not-implemented', result['result'])
self.assertFalse(result['pass'])
