forked from colin/resume
49 lines
2.1 KiB
JavaScript
49 lines
2.1 KiB
JavaScript
const { test, expect } = require('@playwright/test');
|
|
|
|
test.describe('Security Headers Tests', () => {
|
|
test('should have all required security headers', async ({ page }) => {
|
|
// Navigate to the page
|
|
await page.goto('http://localhost:8080');
|
|
|
|
// Get response headers
|
|
const response = await page.waitForResponse('http://localhost:8080');
|
|
const headers = response.headers();
|
|
|
|
// Define required headers and their expected values
|
|
const requiredHeaders = {
|
|
'Content-Security-Policy': expect.stringContaining("default-src 'self'"),
|
|
'X-Content-Type-Options': 'nosniff',
|
|
'X-Frame-Options': 'DENY',
|
|
'X-XSS-Protection': '1; mode=block',
|
|
'Referrer-Policy': 'strict-origin-when-cross-origin',
|
|
'Permissions-Policy': expect.stringContaining('geolocation=()'),
|
|
'Strict-Transport-Security': expect.stringContaining('max-age=31536000'),
|
|
};
|
|
|
|
// Check each required header
|
|
for (const [header, expectedValue] of Object.entries(requiredHeaders)) {
|
|
const headerValue = headers[header.toLowerCase()];
|
|
expect(headerValue).toBeDefined();
|
|
if (typeof expectedValue === 'string') {
|
|
expect(headerValue).toBe(expectedValue);
|
|
} else {
|
|
expect(headerValue).toMatch(expectedValue);
|
|
}
|
|
}
|
|
});
|
|
|
|
test('should have correct CSP directives', async ({ page }) => {
|
|
await page.goto('http://localhost:8080');
|
|
const response = await page.waitForResponse('http://localhost:8080');
|
|
const headers = response.headers();
|
|
const csp = headers['content-security-policy'];
|
|
|
|
// Check for essential CSP directives
|
|
expect(csp).toContain("default-src 'self'");
|
|
expect(csp).toContain("script-src 'self' 'unsafe-inline'");
|
|
expect(csp).toContain("style-src 'self' 'unsafe-inline'");
|
|
expect(csp).toContain("img-src 'self' data: https: http:");
|
|
expect(csp).toContain("font-src 'self'");
|
|
expect(csp).toContain("connect-src 'self'");
|
|
});
|
|
});
|