perplexity/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Issues Pull Requests 1 Activity
This repository has been archived on 2026-03-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
0b91e45d9026ce3e4c7400c65c4e2bb5cd50f206
Timmy-time-dashboard/tests/dashboard/test_security_headers.py
Alexander Whitestone 9d78eb31d1 ruff (#169) 
* polish: streamline nav, extract inline styles, improve tablet UX

- Restructure desktop nav from 8+ flat links + overflow dropdown into
  5 grouped dropdowns (Core, Agents, Intel, System, More) matching
  the mobile menu structure to reduce decision fatigue
- Extract all inline styles from mission_control.html and base.html
  notification elements into mission-control.css with semantic classes
- Replace JS-built innerHTML with secure DOM construction in
  notification loader and chat history
- Add CONNECTING state to connection indicator (amber) instead of
  showing OFFLINE before WebSocket connects
- Add tablet breakpoint (1024px) with larger touch targets for
  Apple Pencil / stylus use and safe-area padding for iPad toolbar
- Add active-link highlighting in desktop dropdown menus
- Rename "Mission Control" page title to "System Overview" to
  disambiguate from the chat home page
- Add "Home — Timmy Time" page title to index.html

https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h

* fix(security): move auth-gate credentials to environment variables

Hardcoded username, password, and HMAC secret in auth-gate.py replaced
with os.environ lookups. Startup now refuses to run if any variable is
unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example.

https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h

* refactor(tooling): migrate from black+isort+bandit to ruff

Replace three separate linting/formatting tools with a single ruff
invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs),
.pre-commit-config.yaml, and CI workflow. Fixes all ruff errors
including unused imports, missing raise-from, and undefined names.
Ruff config maps existing bandit skips to equivalent S-rules.

https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-03-11 12:23:35 -04:00

61 lines
2.2 KiB
Python
Raw Blame History

"""Test security headers middleware in FastAPI app."""
from fastapi.testclient import TestClient
def test_security_headers_present(client: TestClient):
"""Test that security headers are present in all responses."""
response = client.get("/")
# Check for security headers
assert "X-Frame-Options" in response.headers
assert response.headers["X-Frame-Options"] == "SAMEORIGIN"
assert "X-Content-Type-Options" in response.headers
assert response.headers["X-Content-Type-Options"] == "nosniff"
assert "X-XSS-Protection" in response.headers
assert response.headers["X-XSS-Protection"] == "1; mode=block"
assert "Referrer-Policy" in response.headers
assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"
assert "Content-Security-Policy" in response.headers
def test_csp_header_content(client: TestClient):
"""Test that Content Security Policy is properly configured."""
response = client.get("/")
csp = response.headers.get("Content-Security-Policy", "")
# Should restrict default-src to self
assert "default-src 'self'" in csp
# Should allow scripts from self and CDN
assert "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net" in csp
# Should allow styles from self, CDN, and Google Fonts
assert "style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net" in csp
# Should restrict frame ancestors to self
assert "frame-ancestors 'self'" in csp
def test_cors_headers_restricted(client: TestClient):
"""Test that CORS is properly restricted (not allow-origins: *)."""
response = client.get("/")
# Should not have overly permissive CORS
# (The actual CORS headers depend on the origin of the request,
# so we just verify the app doesn't crash with permissive settings)
assert response.status_code == 200
def test_health_endpoint_has_security_headers(client: TestClient):
"""Test that security headers are present on all endpoints."""
response = client.get("/health")
assert "X-Frame-Options" in response.headers
assert "X-Content-Type-Options" in response.headers
assert "Content-Security-Policy" in response.headers
Reference in New Issue View Git Blame Copy Permalink