Files
thedotmack--claude-mem/tests/server/server-security-headers.test.ts
wehub-resource-sync f9447f8e5f
CI / typecheck · build · test · bundle-size (push) Failing after 1s
CI / clean-room dependency closure smoke (push) Failing after 1s
CI / server-runtime e2e (docker · pg + valkey) (push) Failing after 2s
Deploy Install Scripts / deploy (push) Failing after 2s
Windows / build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:07:03 +08:00

63 lines
2.5 KiB
TypeScript

// SPDX-License-Identifier: Apache-2.0
//
// #2572 — the server runtime must emit hardening response headers. The worker
// (loopback-only) leaves them off. We assert the opt-in `securityHeaders`
// option installs the headers on every response and is absent by default.
import { afterEach, describe, expect, it, spyOn } from 'bun:test';
import { logger } from '../../src/utils/logger.js';
import { Server, type ServerOptions } from '../../src/services/server/Server.js';
function baseOptions(overrides: Partial<ServerOptions> = {}): ServerOptions {
return {
getInitializationComplete: () => true,
getMcpReady: () => true,
onShutdown: () => Promise.resolve(),
onRestart: () => Promise.resolve(),
workerPath: '/test/worker-service.cjs',
getAiStatus: () => ({ provider: 'disabled', authMethod: 'api-key', lastInteraction: null }),
...overrides,
};
}
describe('Server security headers (#2572)', () => {
let server: Server | null = null;
let spies: ReturnType<typeof spyOn>[] = [];
afterEach(async () => {
spies.forEach(s => s.mockRestore());
spies = [];
if (server?.getHttpServer()) {
try { await server.close(); } catch { /* ignore */ }
}
server = null;
});
it('emits hardening headers on a server response when securityHeaders=true', async () => {
spies = [spyOn(logger, 'info').mockImplementation(() => {})];
server = new Server(baseOptions({ securityHeaders: true }));
const port = 41000 + Math.floor(Math.random() * 9000);
await server.listen(port, '127.0.0.1');
const res = await fetch(`http://127.0.0.1:${port}/api/health`);
expect(res.status).toBe(200);
expect(res.headers.get('x-content-type-options')).toBe('nosniff');
expect(res.headers.get('x-frame-options')).toBe('DENY');
expect(res.headers.get('referrer-policy')).toBe('no-referrer');
expect(res.headers.get('cross-origin-opener-policy')).toBe('same-origin');
expect(res.headers.get('x-powered-by')).toBeNull();
});
it('does NOT emit the hardening headers by default (worker runtime)', async () => {
spies = [spyOn(logger, 'info').mockImplementation(() => {})];
server = new Server(baseOptions());
const port = 41000 + Math.floor(Math.random() * 9000);
await server.listen(port, '127.0.0.1');
const res = await fetch(`http://127.0.0.1:${port}/api/health`);
expect(res.status).toBe(200);
expect(res.headers.get('x-content-type-options')).toBeNull();
expect(res.headers.get('x-frame-options')).toBeNull();
});
});