72 lines
2.8 KiB
Bash
Executable File
72 lines
2.8 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -Eeuo pipefail
|
|
|
|
GREEN='\033[0;32m'
|
|
RED='\033[0;31m'
|
|
YELLOW='\033[0;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
FAILURES=0
|
|
|
|
fail() { echo -e "${RED}✗ $1${NC}"; FAILURES=$((FAILURES+1)); }
|
|
pass() { echo -e "${GREEN}✓ $1${NC}"; }
|
|
|
|
require_header() {
|
|
local headers=$1; local name=$2; local pattern=${3:-}
|
|
if ! echo "$headers" | grep -qi "^$name:"; then fail "$name header not found"; return; fi
|
|
if [ -n "$pattern" ] && ! echo "$headers" | grep -i "^$name:" | grep -qiE "$pattern"; then fail "$name does not match expected pattern: $pattern"; return; fi
|
|
pass "$name present"
|
|
}
|
|
|
|
require_header_absent() {
|
|
local headers=$1; local name=$2
|
|
if echo "$headers" | grep -qi "^$name:"; then fail "$name should be absent"; else pass "$name absent as expected"; fi
|
|
}
|
|
|
|
assert_http_status() {
|
|
local url=$1; local expected=$2
|
|
local code; code=$(curl -s -o /dev/null -w "%{http_code}" -I "$url")
|
|
if [ "$code" != "$expected" ]; then fail "HTTP status $url expected $expected, got $code"; else pass "HTTP $expected for $url"; fi
|
|
}
|
|
|
|
DEV_URL="http://localhost:5005"
|
|
PROD_URL="https://ploughshares.nixc.us"
|
|
URL=${1:-$DEV_URL}
|
|
|
|
echo -e "${BLUE}Testing API Security Headers for ${URL}${NC}"
|
|
echo "=================================================="
|
|
|
|
test_api_headers() {
|
|
local endpoint=$1; local description=$2; local full_url="${URL}${endpoint}"
|
|
echo -e "\n${YELLOW}${description} (${endpoint})${NC}"
|
|
echo "------------------------------------------------"
|
|
assert_http_status "$full_url" 200
|
|
headers=$(curl -s -I "$full_url")
|
|
echo -e "${BLUE}Headers:${NC}"; echo "$headers" | grep -v "Date:" | grep -v "Server:"
|
|
|
|
require_header "$headers" "Content-Security-Policy"
|
|
require_header "$headers" "Access-Control-Allow-Origin" "\*"
|
|
require_header "$headers" "Access-Control-Allow-Methods"
|
|
require_header "$headers" "Access-Control-Allow-Headers"
|
|
require_header "$headers" "Cross-Origin-Resource-Policy" "cross-origin"
|
|
require_header_absent "$headers" "Cross-Origin-Embedder-Policy"
|
|
}
|
|
|
|
test_api_headers "/api/test" "API test endpoint headers"
|
|
|
|
echo -e "\n${YELLOW}OPTIONS preflight for /api/test${NC}"
|
|
echo "------------------------------------------------"
|
|
preflight_code=$(curl -s -o /dev/null -w "%{http_code}" -X OPTIONS -I "${URL}/api/test")
|
|
if [ "$preflight_code" != "200" ]; then fail "OPTIONS /api/test expected 200, got $preflight_code"; else pass "OPTIONS /api/test returns 200"; fi
|
|
preflight_headers=$(curl -s -X OPTIONS -I "${URL}/api/test")
|
|
require_header "$preflight_headers" "Access-Control-Allow-Origin" "\*"
|
|
require_header "$preflight_headers" "Access-Control-Allow-Methods"
|
|
require_header "$preflight_headers" "Access-Control-Allow-Headers"
|
|
|
|
if [ "$FAILURES" -gt 0 ]; then
|
|
echo -e "${RED}API header tests failed: $FAILURES issue(s).${NC}"; exit 1
|
|
else
|
|
echo -e "${GREEN}All API header tests passed.${NC}"
|
|
fi |