#!/bin/bash # Colors for better readability GREEN='\033[0;32m' RED='\033[0;31m' YELLOW='\033[0;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # Base URLs to test DEV_URL="http://localhost:5005" PROD_URL="https://ploughshares.nixc.us" # Default to development URL unless specified URL=${1:-$DEV_URL} echo -e "${BLUE}Testing headers for ${URL}${NC}" echo "==================================================" # Function to test an endpoint test_endpoint() { local endpoint=$1 local method=$2 local description=$3 local full_url="${URL}${endpoint}" echo -e "\n${YELLOW}Testing ${method} ${endpoint}: ${description}${NC}" echo "------------------------------------------------" if [ "$method" == "HEAD" ]; then # Use -I for HEAD requests curl -s -I "${full_url}" | grep -v "Date:" | grep -v "Server:" elif [ "$method" == "OPTIONS" ]; then # Use -X OPTIONS for OPTIONS requests curl -s -X OPTIONS "${full_url}" -I | grep -v "Date:" | grep -v "Server:" elif [ "$method" == "GET" ]; then # First check headers echo -e "${BLUE}Headers:${NC}" curl -s -I "${full_url}" | grep -v "Date:" | grep -v "Server:" # Then check response body echo -e "\n${BLUE}Response:${NC}" curl -s "${full_url}" echo -e "\n" else echo "Unsupported method: ${method}" fi echo "------------------------------------------------" } # Function to check for specific security headers check_security_headers() { local endpoint=$1 local full_url="${URL}${endpoint}" echo -e "\n${YELLOW}Checking security headers for ${endpoint}${NC}" echo "------------------------------------------------" # Store headers in a variable headers=$(curl -s -I "${full_url}") # Check for important security headers check_header "Content-Security-Policy" "$headers" check_header "Cross-Origin-Resource-Policy" "$headers" check_header "Cross-Origin-Embedder-Policy" "$headers" check_header "Cross-Origin-Opener-Policy" "$headers" check_header "X-Frame-Options" "$headers" check_header "X-Content-Type-Options" "$headers" check_header "X-XSS-Protection" "$headers" check_header "Referrer-Policy" "$headers" # For API endpoints, check CORS headers if [[ "$endpoint" == "/api/"* ]]; then check_header "Access-Control-Allow-Origin" "$headers" check_header "Access-Control-Allow-Methods" "$headers" check_header "Access-Control-Allow-Headers" "$headers" fi echo "------------------------------------------------" } # Function to check for a specific header check_header() { local header=$1 local headers=$2 if echo "$headers" | grep -q "$header"; then header_value=$(echo "$headers" | grep "$header" | sed "s/$header: //") echo -e "${GREEN}✓ $header: $header_value${NC}" else echo -e "${RED}✗ $header not found${NC}" fi } # Test UI endpoints test_endpoint "/" "HEAD" "Main page headers" check_security_headers "/" # Test API endpoints test_endpoint "/api/test" "HEAD" "API test endpoint headers" check_security_headers "/api/test" test_endpoint "/api/test" "GET" "API test endpoint response" # Test OPTIONS request for CORS preflight test_endpoint "/api/test" "OPTIONS" "API CORS preflight request" # Test a POST request to API echo -e "\n${YELLOW}Testing POST to /api/transactions${NC}" echo "------------------------------------------------" curl -s -X POST "${URL}/api/transactions" \ -H "Content-Type: application/json" \ -d '{"test": "data"}' | jq 2>/dev/null || echo "Response is not valid JSON" echo -e "\n------------------------------------------------" # Test with different Accept headers echo -e "\n${YELLOW}Testing with Accept: application/json header${NC}" echo "------------------------------------------------" curl -s -H "Accept: application/json" "${URL}/api/test" | jq 2>/dev/null || echo "Response is not valid JSON" echo -e "\n------------------------------------------------" echo -e "\n${BLUE}Tests completed for ${URL}${NC}"