@@ -133,18 +133,17 @@ module SecureHeaders
133133 it "does not set any headers" do
134134 _ , env = middleware . call ( Rack ::MockRequest . env_for ( "https://looocalhost" , { } ) )
135135
136- # Check individual header classes that have HEADER_NAME
137- expect ( env [ XFrameOptions ::HEADER_NAME ] ) . to be_nil
138- expect ( env [ XContentTypeOptions ::HEADER_NAME ] ) . to be_nil
139- expect ( env [ XDownloadOptions ::HEADER_NAME ] ) . to be_nil
140- expect ( env [ XPermittedCrossDomainPolicies ::HEADER_NAME ] ) . to be_nil
141- expect ( env [ XXssProtection ::HEADER_NAME ] ) . to be_nil
142- expect ( env [ StrictTransportSecurity ::HEADER_NAME ] ) . to be_nil
143- expect ( env [ ReferrerPolicy ::HEADER_NAME ] ) . to be_nil
144- expect ( env [ ContentSecurityPolicyConfig ::HEADER_NAME ] ) . to be_nil
145- expect ( env [ ContentSecurityPolicyReportOnlyConfig ::HEADER_NAME ] ) . to be_nil
146- expect ( env [ ClearSiteData ::HEADER_NAME ] ) . to be_nil
147- expect ( env [ ExpectCertificateTransparency ::HEADER_NAME ] ) . to be_nil
136+ # Verify no security headers are set by checking all configured header classes
137+ Configuration ::HEADERABLE_ATTRIBUTES . each do |attr |
138+ klass = Configuration ::CONFIG_ATTRIBUTES_TO_HEADER_CLASSES [ attr ]
139+ # Handle CSP specially since it has multiple classes
140+ if attr == :csp
141+ expect ( env [ ContentSecurityPolicyConfig ::HEADER_NAME ] ) . to be_nil
142+ expect ( env [ ContentSecurityPolicyReportOnlyConfig ::HEADER_NAME ] ) . to be_nil
143+ elsif klass . const_defined? ( :HEADER_NAME )
144+ expect ( env [ klass ::HEADER_NAME ] ) . to be_nil
145+ end
146+ end
148147 end
149148
150149 it "does not flag cookies" do
0 commit comments