forked from Rockachopa/Timmy-time-dashboard
36fc10097f
* feat: set qwen3.5:latest as default model - Make qwen3.5:latest the primary default model for faster inference - Move llama3.1:8b-instruct to fallback chain - Update text fallback chain to prioritize qwen3.5:latest Retains full backward compatibility via cascade fallback. * test: remove ~55 brittle, duplicate, and useless tests Audit of all 100 test files identified tests that provided no real regression protection. Removed: - 4 files deleted entirely: test_setup_script (always skipped), test_csrf_bypass (tautological assertions), test_input_validation (accepts 200-500 status codes), test_security_regression (fragile source-pattern checks redundant with rendering tests) - Duplicate test classes (TestToolTracking, TestCalculatorExtended) - Mock-only tests that just verify mock wiring, not behavior - Structurally broken tests (TestCreateToolFunctions patches after import) - Empty/pass-body tests and meaningless assertions (len > 20) - Flaky subprocess tests (aider tool calling real binary) All 1328 remaining tests pass. Net: -699 lines, zero coverage loss. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: prevent test pollution from autoresearch_enabled mutation test_autoresearch_perplexity.py was setting settings.autoresearch_enabled = True but never restoring it in the finally block — polluting subsequent tests. When pytest-randomly ordered it before test_experiments_page_shows_disabled_when_off, the victim test saw enabled=True and failed to find "Disabled" in the page. Fix both sides: - Restore autoresearch_enabled in the finally block (root cause) - Mock settings explicitly in the victim test (defense in depth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Trip T <trip@local> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
51 lines
1.8 KiB
Python
51 lines
1.8 KiB
Python
"""Test security headers middleware in FastAPI app."""
|
|
|
|
from fastapi.testclient import TestClient
|
|
|
|
|
|
def test_security_headers_present(client: TestClient):
|
|
"""Test that security headers are present in all responses."""
|
|
response = client.get("/")
|
|
|
|
# Check for security headers
|
|
assert "X-Frame-Options" in response.headers
|
|
assert response.headers["X-Frame-Options"] == "SAMEORIGIN"
|
|
|
|
assert "X-Content-Type-Options" in response.headers
|
|
assert response.headers["X-Content-Type-Options"] == "nosniff"
|
|
|
|
assert "X-XSS-Protection" in response.headers
|
|
assert response.headers["X-XSS-Protection"] == "1; mode=block"
|
|
|
|
assert "Referrer-Policy" in response.headers
|
|
assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"
|
|
|
|
assert "Content-Security-Policy" in response.headers
|
|
|
|
|
|
def test_csp_header_content(client: TestClient):
|
|
"""Test that Content Security Policy is properly configured."""
|
|
response = client.get("/")
|
|
csp = response.headers.get("Content-Security-Policy", "")
|
|
|
|
# Should restrict default-src to self
|
|
assert "default-src 'self'" in csp
|
|
|
|
# Should allow scripts from self and CDN
|
|
assert "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net" in csp
|
|
|
|
# Should allow styles from self, CDN, and Google Fonts
|
|
assert "style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net" in csp
|
|
|
|
# Should restrict frame ancestors to self
|
|
assert "frame-ancestors 'self'" in csp
|
|
|
|
|
|
def test_health_endpoint_has_security_headers(client: TestClient):
|
|
"""Test that security headers are present on all endpoints."""
|
|
response = client.get("/health")
|
|
|
|
assert "X-Frame-Options" in response.headers
|
|
assert "X-Content-Type-Options" in response.headers
|
|
assert "Content-Security-Policy" in response.headers
|