Add tests for CSRF and DNS rebind

Problem: We had these problems in the past and we can't have them again.
Solution: Tests make it really easy to double-check that we remain immune.

.cspell.json

@@ -3,8 +3,9 @@
   "language": "en",
   "words": [
     "AGPL",
-    "EACCESS",
     "Argyris",
+    "CSRF",
+    "EACCESS",
     "Hintjens",
     "Kata",
     "LGPL",
@@ -46,8 +47,8 @@
     "shortname",
     "socio",
     "ssbc",
-    "summerfruit",
     "sulphurpool",
+    "summerfruit",
     "systemctl",
     "systemd",
     "unfollow",

test/basic.js

@@ -28,13 +28,35 @@ const paths = [
 
 tap.setTimeout(0);
 
+tap.test("DNS rebind attack fails", (t) => {
+  t.plan(1);
+  supertest(app)
+    .get("/inbox")
+    .set("Host", "example.com")
+    .expect(400)
+    .end(t.error);
+});
+
+tap.test("CSRF attack should fail with no referer", (t) => {
+  t.plan(1);
+  supertest(app).post("/conn/settings/stop").expect(400).end(t.error);
+});
+
+tap.test("CSRF attack should fail with wrong referer", (t) => {
+  t.plan(1);
+  supertest(app)
+    .post("/conn/settings/stop")
+    .set("Host", "example.com")
+    .expect(400)
+    .end(t.error);
+});
+
 paths.forEach((path) => {
   tap.test(path, (t) => {
     t.plan(1);
-    supertest
+    supertest(app)
-      .agent(app)
-      .host("localhost") // supertest workaround
       .get(path)
+      .set("Host", "localhost")
       .expect(200)
       .end((err) => {
         console.log(path);