Merge pull request #4 from SPHTech-Platform/change_default

Change defaults and add test
SPHTech-Platform · Mar 20, 2024 · 9beea77 · 9beea77
2 parents 0c9381e + 1663934
commit 9beea77
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 23 deletions.
diff --git a/examples/response-headers/main.tf b/examples/response-headers/main.tf
@@ -2,14 +2,6 @@ module "custom_resp_headers" {
   source = "../../modules/response-headers"
 
   name = "custom-response-headers"
-  strict_transport_security_header = {
-    enabled  = true
-    override = true
-
-    max_age            = 31536000
-    include_subdomains = true
-    preload            = true
-  }
 
   custom_headers = [
     {
@@ -23,3 +15,13 @@ module "custom_resp_headers" {
     sampling_rate = 100
   }
 }
+
+module "override_default" {
+  source = "../../modules/response-headers"
+
+  name = "override-default-response-headers"
+
+  xss_protection_header = {
+    enabled = false
+  }
+}
diff --git a/examples/response-headers/versions.tf b/examples/response-headers/versions.tf
@@ -2,6 +2,7 @@ terraform {
   required_version = ">= 1.3"
 
   required_providers {
+    # tflint-ignore: terraform_unused_required_providers
     aws = {
       source  = "hashicorp/aws"
       version = "~> 5.38"

diff --git a/modules/response-headers/README.md b/modules/response-headers/README.md
diff --git a/modules/response-headers/outputs.tf b/modules/response-headers/outputs.tf
@@ -7,3 +7,15 @@ output "etag" {
   description = "The current version of the response headers policy."
   value       = aws_cloudfront_response_headers_policy.this.etag
 }
+
+output "security_headers" {
+  description = "A configuration for several security-related HTTP response headers."
+  value = {
+    content_security_policy   = var.content_security_policy_header
+    content_type_options      = var.content_type_options_header
+    frame_options             = var.frame_options_header
+    referrer_policy           = var.referrer_policy_header
+    strict_transport_security = var.strict_transport_security_header
+    xss_protection            = var.xss_protection_header
+  }
+}
diff --git a/modules/response-headers/tests/examples_response_headers.tftest.hcl b/modules/response-headers/tests/examples_response_headers.tftest.hcl
@@ -8,3 +8,49 @@ run "validate" {
     source = "../../examples/response-headers"
   }
 }
+
+run "validate_security_defaults" {
+  command = apply
+
+  module {
+    source = "../../examples/response-headers"
+  }
+
+  assert {
+    condition     = module.custom_resp_headers.security_headers.strict_transport_security.enabled == true
+    error_message = "HSTS should be enabled"
+  }
+
+  assert {
+    condition     = (module.custom_resp_headers.security_headers.frame_options.enabled == true) && (module.custom_resp_headers.security_headers.frame_options.value == "DENY")
+    error_message = "Frame options should be enabled and deny"
+  }
+
+  assert {
+    condition     = module.custom_resp_headers.security_headers.content_type_options.enabled == true
+    error_message = "Content type options should be enabled"
+  }
+
+  assert {
+    condition     = (module.custom_resp_headers.security_headers.xss_protection.enabled == true) && (module.custom_resp_headers.security_headers.xss_protection.block == true)
+    error_message = "XSS protection should be enabled"
+  }
+
+  assert {
+    condition     = (module.custom_resp_headers.security_headers.referrer_policy.enabled == true) && (module.custom_resp_headers.security_headers.referrer_policy.value == "same-origin")
+    error_message = "Referrer policy should be enabled with `same-origin`"
+  }
+}
+
+run "override_defaults" {
+  command = apply
+
+  module {
+    source = "../../examples/response-headers"
+  }
+
+  assert {
+    condition     = module.override_default.security_headers.xss_protection.enabled == false
+    error_message = "XSS protection can be disabled"
+  }
+}
diff --git a/modules/response-headers/variables.tf b/modules/response-headers/variables.tf
@@ -105,7 +105,7 @@ variable "content_type_options_header" {
     `override` - Whether CloudFront overrides the `X-Content-Type-Options` response header with the header received from the origin. Defaults to `true`.
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
   })
   default  = {}
@@ -124,9 +124,9 @@ variable "frame_options_header" {
       - `SAMEORIGIN`: The page can only be displayed if all ancestor frames are same origin to the page itself.
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
-    value    = optional(string, "")
+    value    = optional(string, "DENY")
   })
   default  = {}
   nullable = false
@@ -150,9 +150,9 @@ variable "referrer_policy_header" {
     - `strict-origin-when-cross-origin`: Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
-    value    = optional(string, "strict-origin-when-cross-origin")
+    value    = optional(string, "same-origin")
   })
   default  = {}
   nullable = false
@@ -174,12 +174,12 @@ variable "strict_transport_security_header" {
     `preload` - Whether CloudFront includes the `preload` directive in the header value. However, it is not part of the HSTS specification and should not be treated as official. Defaults to `false`.
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
 
     max_age            = optional(number, 60 * 60 * 24 * 365)
-    include_subdomains = optional(bool, false)
-    preload            = optional(bool, false)
+    include_subdomains = optional(bool, true)
+    preload            = optional(bool, true)
   })
   default  = {}
   nullable = false
@@ -198,11 +198,11 @@ variable "xss_protection_header" {
     `report` - A reporting URI (in the `report` field), which determines whether CloudFront includes the `report='reporting URI'` directive in the header value. You can't specify a reporting URI when block is enabled.
   EOF
   type = object({
-    enabled  = optional(bool, false)
+    enabled  = optional(bool, true)
     override = optional(bool, true)
 
     filtering_enabled = optional(bool, true)
-    block             = optional(bool, false)
+    block             = optional(bool, true)
     report            = optional(string, "")
   })
   default  = {}