def test_preloaded(self): self.reqs['responses']['https'].url = 'https://bugzilla.mozilla.org/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # Cloudflare doesn't include subdomains self.reqs['responses']['https'].url = 'https://cloudflare.com/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-preloaded', result['result']) self.assertFalse(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # Android.com is preloaded, but only for HPKP, not HSTS self.reqs['responses']['https'].url = 'https://android.com/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-not-implemented', result['result']) self.assertFalse(result['includeSubDomains']) self.assertFalse(result['pass']) self.assertFalse(result['preloaded'])
def test_preloaded(self): self.reqs['responses']['https'].url = 'https://bugzilla.mozilla.org/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # Cloudflare doesn't include subdomains self.reqs['responses']['https'].url = 'https://cloudflare.com/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-preloaded', result['result']) self.assertFalse(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # Android.com is preloaded, but only for HPKP, not HSTS self.reqs['responses']['https'].url = 'https://android.com/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-not-implemented', result['result']) self.assertFalse(result['includeSubDomains']) self.assertFalse(result['pass']) self.assertFalse(result['preloaded'])
def test_preloaded(self): self.reqs['responses']['https'].url = 'https://bugzilla.mozilla.org/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # Facebook doesn't include subdomains self.reqs['responses']['https'].url = 'https://facebook.com/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-preloaded', result['result']) self.assertFalse(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # dropboxusercontent.com is preloaded, but only for HPKP, not HSTS self.reqs['responses']['https'].url = 'https://dropboxusercontent.com/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-not-implemented', result['result']) self.assertFalse(result['includeSubDomains']) self.assertFalse(result['pass']) self.assertFalse(result['preloaded'])
def test_preloaded(self): self.reqs['responses']['https'].url = 'https://bugzilla.mozilla.org/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # Facebook doesn't include subdomains self.reqs['responses']['https'].url = 'https://facebook.com/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-preloaded', result['result']) self.assertFalse(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # dropboxusercontent.com is preloaded, but only for HPKP, not HSTS self.reqs['responses']['https'].url = 'https://dropboxusercontent.com/' result = strict_transport_security(self.reqs) self.assertEquals('hsts-not-implemented', result['result']) self.assertFalse(result['includeSubDomains']) self.assertFalse(result['pass']) self.assertFalse(result['preloaded'])
def test_max_age_too_low(self): self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'max-age=86400' result = strict_transport_security(self.reqs) self.assertEquals('hsts-implemented-max-age-less-than-six-months', result['result']) self.assertFalse(result['pass'])
def test_header_invalid(self): self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'includeSubDomains; preload' result = strict_transport_security(self.reqs) self.assertEquals('hsts-header-invalid', result['result']) self.assertFalse(result['pass']) # If the header is set twice self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \ 'max-age=15768000; includeSubDomains, max-age=15768000; includeSubDomains' result = strict_transport_security(self.reqs) self.assertEquals('hsts-header-invalid', result['result']) self.assertFalse(result['pass'])
def test_header_invalid(self): self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'includeSubDomains; preload' result = strict_transport_security(self.reqs) self.assertEquals('hsts-header-invalid', result['result']) self.assertFalse(result['pass']) # If the header is set twice self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \ 'max-age=15768000; includeSubDomains, max-age=15768000; includeSubDomains' result = strict_transport_security(self.reqs) self.assertEquals('hsts-header-invalid', result['result']) self.assertFalse(result['pass'])
def test_max_age_too_low(self): self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'max-age=86400' result = strict_transport_security(self.reqs) self.assertEquals('hsts-implemented-max-age-less-than-six-months', result['result']) self.assertFalse(result['pass'])
def test_invalid_cert(self): self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \ 'max-age=15768000; includeSubDomains; preload' self.reqs['responses']['https'].verified = False result = strict_transport_security(self.reqs) self.assertEquals('hsts-invalid-cert', result['result']) self.assertFalse(result['pass'])
def test_no_https(self): self.reqs['responses']['auto'].headers['Strict-Transport-Security'] = 'max-age=15768000' self.reqs['responses']['http'].headers['Strict-Transport-Security'] = 'max-age=15768000' self.reqs['responses']['https'] = None result = strict_transport_security(self.reqs) self.assertEquals('hsts-not-implemented-no-https', result['result']) self.assertFalse(result['pass'])
def test_no_https(self): self.reqs['responses']['auto'].headers['Strict-Transport-Security'] = 'max-age=15768000' self.reqs['responses']['http'].headers['Strict-Transport-Security'] = 'max-age=15768000' self.reqs['responses']['https'] = None result = strict_transport_security(self.reqs) self.assertEquals('hsts-not-implemented-no-https', result['result']) self.assertFalse(result['pass'])
def test_invalid_cert(self): self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \ 'max-age=15768000; includeSubDomains; preload' self.reqs['responses']['https'].verified = False result = strict_transport_security(self.reqs) self.assertEquals('hsts-invalid-cert', result['result']) self.assertFalse(result['pass'])
def test_implemented(self): self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \ 'max-age=15768000; includeSubDomains; preload' result = strict_transport_security(self.reqs) self.assertEquals('hsts-implemented-max-age-at-least-six-months', result['result']) self.assertEquals(result['max-age'], 15768000) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['preload']) self.assertTrue(result['pass'])
def test_implemented(self): self.reqs['responses']['https'].headers['Strict-Transport-Security'] = \ 'max-age=15768000; includeSubDomains; preload' result = strict_transport_security(self.reqs) self.assertEquals('hsts-implemented-max-age-at-least-six-months', result['result']) self.assertEquals(result['max-age'], 15768000) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['preload']) self.assertTrue(result['pass'])
def test_missing(self): result = strict_transport_security(self.reqs) self.assertEquals('hsts-not-implemented', result['result']) self.assertFalse(result['pass'])
def test_missing(self): result = strict_transport_security(self.reqs) self.assertEquals('hsts-not-implemented', result['result']) self.assertFalse(result['pass'])