const { test, expect } = require('@playwright/test'); test.describe('Security Headers Tests', () => { test('should have all required security headers', async ({ page }) => { // Navigate to the page await page.goto('http://localhost:8080'); // Get response headers const response = await page.waitForResponse('http://localhost:8080'); const headers = response.headers(); // Define required headers and their expected values const requiredHeaders = { 'Content-Security-Policy': expect.stringContaining("default-src 'self'"), 'X-Content-Type-Options': 'nosniff', 'X-Frame-Options': 'DENY', 'X-XSS-Protection': '1; mode=block', 'Referrer-Policy': 'strict-origin-when-cross-origin', 'Permissions-Policy': expect.stringContaining('geolocation=()'), 'Strict-Transport-Security': expect.stringContaining('max-age=31536000'), }; // Check each required header for (const [header, expectedValue] of Object.entries(requiredHeaders)) { const headerValue = headers[header.toLowerCase()]; expect(headerValue).toBeDefined(); if (typeof expectedValue === 'string') { expect(headerValue).toBe(expectedValue); } else { expect(headerValue).toMatch(expectedValue); } } }); test('should have correct CSP directives with nonce and hash', async ({ page }) => { await page.goto('http://localhost:8080'); const response = await page.waitForResponse('http://localhost:8080'); const headers = response.headers(); const csp = headers['content-security-policy']; // Check for essential CSP directives expect(csp).toContain("default-src 'self'"); expect(csp).toContain("script-src 'self' 'nonce-"); expect(csp).toContain("'sha256-ryQsJ+aghKKD/CeXgx8jtsnZT3Epp3EjIw8RyHIq544='"); expect(csp).toContain("style-src 'self' 'unsafe-inline'"); expect(csp).toContain("img-src 'self' data: https: http:"); expect(csp).toContain("font-src 'self'"); expect(csp).toContain("connect-src 'self'"); }); test('should have nonce attributes on script tags', async ({ page }) => { await page.goto('http://localhost:8080'); // Check that all script tags have nonce attributes const scripts = await page.$$('script'); for (const script of scripts) { const hasNonce = await script.evaluate(el => el.hasAttribute('nonce')); expect(hasNonce).toBeTruthy(); } }); });