Address code review feedback: improve comments and test maintainability

Copilot · fletchto99 · Copilot · commit f76080a066a0 · 2025-12-16T23:12:57.000Z
Co-authored-by: fletchto99 &lt;718681+fletchto99@users.noreply.github.com&gt;
diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb
@@ -135,6 +135,7 @@ def create_noop_config
       end
 
       # Private: Block for creating NOOP configuration
+      # Used by both create_noop_config and the NOOP_OVERRIDE mechanism
       def create_noop_config_block(config)
         CONFIG_ATTRIBUTES.each do |attr|
           config.instance_variable_set("@#{attr}", OPT_OUT)
diff --git a/spec/lib/secure_headers/middleware_spec.rb b/spec/lib/secure_headers/middleware_spec.rb
@@ -123,18 +123,17 @@ module SecureHeaders
       it "does not set any headers" do
         _, env = middleware.call(Rack::MockRequest.env_for("https://looocalhost", {}))
 
-        # Check individual header classes that have HEADER_NAME
-        expect(env[XFrameOptions::HEADER_NAME]).to be_nil
-        expect(env[XContentTypeOptions::HEADER_NAME]).to be_nil
-        expect(env[XDownloadOptions::HEADER_NAME]).to be_nil
-        expect(env[XPermittedCrossDomainPolicies::HEADER_NAME]).to be_nil
-        expect(env[XXssProtection::HEADER_NAME]).to be_nil
-        expect(env[StrictTransportSecurity::HEADER_NAME]).to be_nil
-        expect(env[ReferrerPolicy::HEADER_NAME]).to be_nil
-        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to be_nil
-        expect(env[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to be_nil
-        expect(env[ClearSiteData::HEADER_NAME]).to be_nil
-        expect(env[ExpectCertificateTransparency::HEADER_NAME]).to be_nil
+        # Verify no security headers are set by checking all configured header classes
+        Configuration::HEADERABLE_ATTRIBUTES.each do |attr|
+          klass = Configuration::CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
+          # Handle CSP specially since it has multiple classes
+          if attr == :csp
+            expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to be_nil
+            expect(env[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to be_nil
+          elsif klass.const_defined?(:HEADER_NAME)
+            expect(env[klass::HEADER_NAME]).to be_nil
+          end
+        end
       end
 
       it "does not flag cookies" do
