forked from Rockachopa/Timmy-time-dashboard
feat: code quality audit + autoresearch integration + infra hardening (#150)
This commit is contained in:
Alexander Whitestone
committed by
GitHub
GitHub
parent
fd0ede0d51
commit
ae3bb1cc21
@@ -7,20 +7,20 @@ from fastapi.testclient import TestClient
|
||||
def test_security_headers_present(client: TestClient):
|
||||
"""Test that security headers are present in all responses."""
|
||||
response = client.get("/")
|
||||
|
||||
|
||||
# Check for security headers
|
||||
assert "X-Frame-Options" in response.headers
|
||||
assert response.headers["X-Frame-Options"] == "SAMEORIGIN"
|
||||
|
||||
|
||||
assert "X-Content-Type-Options" in response.headers
|
||||
assert response.headers["X-Content-Type-Options"] == "nosniff"
|
||||
|
||||
|
||||
assert "X-XSS-Protection" in response.headers
|
||||
assert response.headers["X-XSS-Protection"] == "1; mode=block"
|
||||
|
||||
|
||||
assert "Referrer-Policy" in response.headers
|
||||
assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"
|
||||
|
||||
|
||||
assert "Content-Security-Policy" in response.headers
|
||||
|
||||
|
||||
@@ -28,16 +28,16 @@ def test_csp_header_content(client: TestClient):
|
||||
"""Test that Content Security Policy is properly configured."""
|
||||
response = client.get("/")
|
||||
csp = response.headers.get("Content-Security-Policy", "")
|
||||
|
||||
|
||||
# Should restrict default-src to self
|
||||
assert "default-src 'self'" in csp
|
||||
|
||||
|
||||
# Should allow scripts from self and CDN
|
||||
assert "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net" in csp
|
||||
|
||||
|
||||
# Should allow styles from self, CDN, and Google Fonts
|
||||
assert "style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net" in csp
|
||||
|
||||
|
||||
# Should restrict frame ancestors to self
|
||||
assert "frame-ancestors 'self'" in csp
|
||||
|
||||
@@ -45,7 +45,7 @@ def test_csp_header_content(client: TestClient):
|
||||
def test_cors_headers_restricted(client: TestClient):
|
||||
"""Test that CORS is properly restricted (not allow-origins: *)."""
|
||||
response = client.get("/")
|
||||
|
||||
|
||||
# Should not have overly permissive CORS
|
||||
# (The actual CORS headers depend on the origin of the request,
|
||||
# so we just verify the app doesn't crash with permissive settings)
|
||||
@@ -55,7 +55,7 @@ def test_cors_headers_restricted(client: TestClient):
|
||||
def test_health_endpoint_has_security_headers(client: TestClient):
|
||||
"""Test that security headers are present on all endpoints."""
|
||||
response = client.get("/health")
|
||||
|
||||
|
||||
assert "X-Frame-Options" in response.headers
|
||||
assert "X-Content-Type-Options" in response.headers
|
||||
assert "Content-Security-Policy" in response.headers
|
||||
|
||||
Reference in New Issue
Block a user