colin
/
ploughshares
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ploughshares/test_api_headers.sh

138 lines
5.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Colors for better readability
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[0;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Base URLs to test
DEV_URL="http://localhost:5005"
PROD_URL="https://ploughshares.nixc.us"
# Default to development URL unless specified
URL=${1:-$DEV_URL}
echo -e "${BLUE}Testing API Security Headers for ${URL}${NC}"
echo "=================================================="
# Function to test an endpoint's headers
test_headers() {
local endpoint=$1
local description=$2
local full_url="${URL}${endpoint}"
echo -e "\n${YELLOW}Testing headers for ${description} (${endpoint})${NC}"
echo "------------------------------------------------"
# Get headers only with curl
headers=$(curl -s -I "${full_url}")
# Display all headers for reference
echo -e "${BLUE}All Headers:${NC}"
echo "$headers" | grep -v "Date:" | grep -v "Server:"
echo -e "\n${BLUE}Security Header Analysis:${NC}"
# Check for Content-Security-Policy
if echo "$headers" | grep -q "Content-Security-Policy"; then
csp=$(echo "$headers" | grep "Content-Security-Policy" | sed "s/Content-Security-Policy: //")
echo -e "${GREEN}✓ Content-Security-Policy:${NC}"
# Check for unsafe-inline and unsafe-eval in script-src
if echo "$csp" | grep -q "script-src.*'unsafe-inline'"; then
echo -e " ${YELLOW}⚠ script-src contains 'unsafe-inline' - needed for API clients${NC}"
else
echo -e " ${RED}✗ script-src missing 'unsafe-inline' - may cause issues with some clients${NC}"
fi
if echo "$csp" | grep -q "script-src.*'unsafe-eval'"; then
echo -e " ${YELLOW}⚠ script-src contains 'unsafe-eval' - needed for API clients${NC}"
else
echo -e " ${RED}✗ script-src missing 'unsafe-eval' - may cause issues with some clients${NC}"
fi
# Check for connect-src
if echo "$csp" | grep -q "connect-src.*\\*"; then
echo -e " ${GREEN}✓ connect-src includes * - good for API access${NC}"
else
echo -e " ${RED}✗ connect-src restrictive - may block API access${NC}"
fi
else
echo -e "${RED}✗ Content-Security-Policy header not found${NC}"
fi
# Check for CORS headers for API endpoints
if [[ "$endpoint" == "/api/"* ]]; then
echo -e "\n${BLUE}CORS Headers (critical for API):${NC}"
if echo "$headers" | grep -q "Access-Control-Allow-Origin"; then
origin=$(echo "$headers" | grep "Access-Control-Allow-Origin" | sed "s/Access-Control-Allow-Origin: //")
echo -e "${GREEN}✓ Access-Control-Allow-Origin: $origin${NC}"
else
echo -e "${RED}✗ Access-Control-Allow-Origin header not found - CORS will fail${NC}"
fi
if echo "$headers" | grep -q "Access-Control-Allow-Methods"; then
methods=$(echo "$headers" | grep "Access-Control-Allow-Methods" | sed "s/Access-Control-Allow-Methods: //")
echo -e "${GREEN}✓ Access-Control-Allow-Methods: $methods${NC}"
else
echo -e "${RED}✗ Access-Control-Allow-Methods header not found - CORS will fail${NC}"
fi
if echo "$headers" | grep -q "Access-Control-Allow-Headers"; then
allowed_headers=$(echo "$headers" | grep "Access-Control-Allow-Headers" | sed "s/Access-Control-Allow-Headers: //")
echo -e "${GREEN}✓ Access-Control-Allow-Headers: $allowed_headers${NC}"
else
echo -e "${RED}✗ Access-Control-Allow-Headers header not found - CORS will fail${NC}"
fi
fi
# Check for Cross-Origin-Resource-Policy
if echo "$headers" | grep -q "Cross-Origin-Resource-Policy"; then
corp=$(echo "$headers" | grep "Cross-Origin-Resource-Policy" | sed "s/Cross-Origin-Resource-Policy: //")
echo -e "\n${BLUE}Resource Policy:${NC}"
if [[ "$endpoint" == "/api/"* ]]; then
if [[ "$corp" == "cross-origin" ]]; then
echo -e "${GREEN}✓ Cross-Origin-Resource-Policy: $corp - correct for API${NC}"
else
echo -e "${RED}✗ Cross-Origin-Resource-Policy: $corp - should be 'cross-origin' for API endpoints${NC}"
fi
else
if [[ "$corp" == "same-origin" ]]; then
echo -e "${GREEN}✓ Cross-Origin-Resource-Policy: $corp - correct for UI${NC}"
else
echo -e "${YELLOW}⚠ Cross-Origin-Resource-Policy: $corp - should be 'same-origin' for UI endpoints${NC}"
fi
fi
else
echo -e "${YELLOW}⚠ Cross-Origin-Resource-Policy header not found${NC}"
fi
echo "------------------------------------------------"
}
# Test UI endpoint
test_headers "/" "Main UI page"
# Test API endpoints
test_headers "/api/test" "API test endpoint"
# Test OPTIONS request for CORS preflight
echo -e "\n${YELLOW}Testing OPTIONS request for CORS preflight${NC}"
echo "------------------------------------------------"
curl -s -X OPTIONS -H "Origin: http://example.com" -I "${URL}/api/test" | grep -v "Date:" | grep -v "Server:"
echo "------------------------------------------------"
# Test with a real-world API client simulation
echo -e "\n${YELLOW}Testing with a simulated API client${NC}"
echo "------------------------------------------------"
echo -e "${BLUE}Command:${NC} curl -s -X GET -H \"Origin: http://example.com\" -H \"Accept: application/json\" \"${URL}/api/test\""
response=$(curl -s -X GET -H "Origin: http://example.com" -H "Accept: application/json" "${URL}/api/test")
echo -e "${BLUE}Response:${NC}"
echo "$response" | jq 2>/dev/null || echo "$response"
echo "------------------------------------------------"
echo -e "\n${GREEN}All header tests completed.${NC}"
Reference in New Issue View Git Blame Copy Permalink