const { test, expect } = require('@playwright/test'); test.describe('Security Headers Tests', () => { test('should have all required security headers', async ({ page }) => { // Navigate to the page await page.goto('http://localhost:8080'); // Get response headers const response = await page.waitForResponse('http://localhost:8080'); const headers = response.headers(); // Define required headers and their expected values const requiredHeaders = { 'Content-Security-Policy': expect.stringContaining("default-src 'self'"), 'X-Content-Type-Options': 'nosniff', 'X-Frame-Options': 'DENY', 'X-XSS-Protection': '1; mode=block', 'Referrer-Policy': 'strict-origin-when-cross-origin', 'Permissions-Policy': expect.stringContaining('geolocation=()'), 'Strict-Transport-Security': expect.stringContaining('max-age=31536000'), }; // Check each required header for (const [header, expectedValue] of Object.entries(requiredHeaders)) { const headerValue = headers[header.toLowerCase()]; expect(headerValue).toBeDefined(); if (typeof expectedValue === 'string') { expect(headerValue).toBe(expectedValue); } else { expect(headerValue).toMatch(expectedValue); } } }); test('should have correct CSP directives', async ({ page }) => { await page.goto('http://localhost:8080'); const response = await page.waitForResponse('http://localhost:8080'); const headers = response.headers(); const csp = headers['content-security-policy']; // Check for essential CSP directives expect(csp).toContain("default-src 'self'"); expect(csp).toContain("script-src 'self' 'unsafe-inline'"); expect(csp).toContain("style-src 'self' 'unsafe-inline'"); expect(csp).toContain("img-src 'self' data: https: http:"); expect(csp).toContain("font-src 'self'"); expect(csp).toContain("connect-src 'self'"); }); });