tests/dashboard/test_security_headers.py

"""Test security headers middleware in FastAPI app."""

import pytest
from fastapi.testclient import TestClient


def test_security_headers_present(client: TestClient):
    """Test that security headers are present in all responses."""
    response = client.get("/")
    
    # Check for security headers
    assert "X-Frame-Options" in response.headers
    assert response.headers["X-Frame-Options"] == "SAMEORIGIN"
    
    assert "X-Content-Type-Options" in response.headers
    assert response.headers["X-Content-Type-Options"] == "nosniff"
    
    assert "X-XSS-Protection" in response.headers
    assert response.headers["X-XSS-Protection"] == "1; mode=block"
    
    assert "Referrer-Policy" in response.headers
    assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"
    
    assert "Content-Security-Policy" in response.headers


def test_csp_header_content(client: TestClient):
    """Test that Content Security Policy is properly configured."""
    response = client.get("/")
    csp = response.headers.get("Content-Security-Policy", "")
    
    # Should restrict default-src to self
    assert "default-src 'self'" in csp
    
    # Should allow scripts from self and CDN
    assert "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net" in csp
    
    # Should allow styles from self, CDN, and Google Fonts
    assert "style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net" in csp
    
    # Should restrict frame ancestors to self
    assert "frame-ancestors 'self'" in csp


def test_cors_headers_restricted(client: TestClient):
    """Test that CORS is properly restricted (not allow-origins: *)."""
    response = client.get("/")
    
    # Should not have overly permissive CORS
    # (The actual CORS headers depend on the origin of the request,
    # so we just verify the app doesn't crash with permissive settings)
    assert response.status_code == 200


def test_health_endpoint_has_security_headers(client: TestClient):
    """Test that security headers are present on all endpoints."""
    response = client.get("/health")
    
    assert "X-Frame-Options" in response.headers
    assert "X-Content-Type-Options" in response.headers
    assert "Content-Security-Policy" in response.headers
Fix font resolution in creative module and add security headers to dashboard (#103) 2026-03-01 11:50:34 -05:00			`"""Test security headers middleware in FastAPI app."""`

			`import pytest`
			`from fastapi.testclient import TestClient`


			`def test_security_headers_present(client: TestClient):`
			`"""Test that security headers are present in all responses."""`
			`response = client.get("/")`

			`# Check for security headers`
			`assert "X-Frame-Options" in response.headers`
			`assert response.headers["X-Frame-Options"] == "SAMEORIGIN"`

			`assert "X-Content-Type-Options" in response.headers`
			`assert response.headers["X-Content-Type-Options"] == "nosniff"`

			`assert "X-XSS-Protection" in response.headers`
			`assert response.headers["X-XSS-Protection"] == "1; mode=block"`

			`assert "Referrer-Policy" in response.headers`
			`assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"`

			`assert "Content-Security-Policy" in response.headers`


			`def test_csp_header_content(client: TestClient):`
			`"""Test that Content Security Policy is properly configured."""`
			`response = client.get("/")`
			`csp = response.headers.get("Content-Security-Policy", "")`

			`# Should restrict default-src to self`
			`assert "default-src 'self'" in csp`

			`# Should allow scripts from self and CDN`
Fix build issues, implement missing routes, and stabilize e2e tests for production readiness 2026-03-04 17:15:46 -05:00			`assert "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net" in csp`
Fix font resolution in creative module and add security headers to dashboard (#103) 2026-03-01 11:50:34 -05:00
			`# Should allow styles from self, CDN, and Google Fonts`
			`assert "style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net" in csp`

			`# Should restrict frame ancestors to self`
			`assert "frame-ancestors 'self'" in csp`


			`def test_cors_headers_restricted(client: TestClient):`
			`"""Test that CORS is properly restricted (not allow-origins: *)."""`
			`response = client.get("/")`

			`# Should not have overly permissive CORS`
			`# (The actual CORS headers depend on the origin of the request,`
			`# so we just verify the app doesn't crash with permissive settings)`
			`assert response.status_code == 200`


			`def test_health_endpoint_has_security_headers(client: TestClient):`
			`"""Test that security headers are present on all endpoints."""`
			`response = client.get("/health")`

			`assert "X-Frame-Options" in response.headers`
			`assert "X-Content-Type-Options" in response.headers`
			`assert "Content-Security-Policy" in response.headers`