From 04c3b3fcb8652391427df4ea0ce5e71b22b96d76 Mon Sep 17 00:00:00 2001
From: Felipe Zipitria <felipe.zipitria@owasp.org>
Date: Fri, 13 Dec 2024 13:34:26 -0300
Subject: [PATCH] fix: add headers to http + tests

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
---
 .github/workflows/verifyimage.yml            | 8 ++++++++
 nginx/templates/conf.d/default.conf.template | 1 +
 2 files changed, 9 insertions(+)

diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
index e0ffa8e..a0b4267 100644
--- a/.github/workflows/verifyimage.yml
+++ b/.github/workflows/verifyimage.yml
@@ -70,3 +70,11 @@ jobs:
       - name: Verify ${{ matrix.target }}
         run: |
           [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ]
+          if "${{ matrix.target }}" == "nginx" ; then
+            curl -q -D headers.txt http://localhost:8080/?test=../../etc/passwd
+            grep -q "HTTP/1.1 403 Forbidden" headers.txt
+            grep -q "Access-Control-Allow-Origin: *" headers.txt
+            grep -q "Access-Control-Max-Age: 3600" headers.txt
+            grep -q "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS" headers.txt
+            grep -q "Access-Control-Allow-Headers: *" headers.txt
+          fi
diff --git a/nginx/templates/conf.d/default.conf.template b/nginx/templates/conf.d/default.conf.template
index 976f262..7f25d71 100644
--- a/nginx/templates/conf.d/default.conf.template
+++ b/nginx/templates/conf.d/default.conf.template
@@ -23,6 +23,7 @@ server {
             return 301 https://$host$request_uri;
         }
 
+        include includes/cors.conf;
         include includes/proxy_backend.conf;
 
         index index.html index.htm;