2023-03-07 16:08:51 -05:00
|
|
|
from re import search
|
2019-04-10 17:20:51 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_owasp_useful_headers_set(
|
2022-01-04 15:40:42 +00:00
|
|
|
client_request,
|
2019-04-10 17:20:51 +01:00
|
|
|
mocker,
|
2023-07-12 12:09:44 -04:00
|
|
|
mock_get_service_and_organization_counts,
|
2019-04-10 17:20:51 +01:00
|
|
|
):
|
2024-07-11 09:38:32 -07:00
|
|
|
|
|
|
|
|
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
|
2022-01-04 15:40:42 +00:00
|
|
|
client_request.logout()
|
2023-08-25 09:12:23 -07:00
|
|
|
response = client_request.get_response(".index")
|
2017-07-24 15:20:40 +01:00
|
|
|
|
2023-08-25 09:12:23 -07:00
|
|
|
assert response.headers["X-Frame-Options"] == "deny"
|
|
|
|
|
assert response.headers["X-Content-Type-Options"] == "nosniff"
|
|
|
|
|
csp = response.headers["Content-Security-Policy"]
|
2023-03-07 16:08:51 -05:00
|
|
|
assert search(r"default-src 'self' static\.example\.com;", csp)
|
2023-04-19 15:34:38 -04:00
|
|
|
assert search(r"frame-ancestors 'none';", csp)
|
|
|
|
|
assert search(r"form-action 'self';", csp)
|
2023-03-07 16:08:51 -05:00
|
|
|
assert search(
|
2023-10-26 12:05:26 -07:00
|
|
|
r"script-src 'self' static\.example\.com 'unsafe-eval' https:\/\/js-agent\.new"
|
2023-11-27 16:26:22 -05:00
|
|
|
r"relic\.com https:\/\/gov-bam\.nr-data\.net https:\/\/www\.googletagmanager\."
|
2023-12-12 16:45:21 -05:00
|
|
|
r"com https:\/\/www\.google-analytics\."
|
|
|
|
|
r"com https:\/\/dap\.digitalgov\."
|
|
|
|
|
r"gov 'nonce-.*';",
|
2023-08-25 09:12:23 -07:00
|
|
|
csp,
|
2018-05-25 10:18:39 +01:00
|
|
|
)
|
2023-12-13 08:50:25 -05:00
|
|
|
assert search(
|
|
|
|
|
r"connect-src 'self' https:\/\/gov-bam.nr-data\.net https:\/\/www\.google-analytics\."
|
|
|
|
|
r"com;",
|
|
|
|
|
csp,
|
|
|
|
|
)
|
2023-03-07 16:08:51 -05:00
|
|
|
assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp)
|
2023-04-19 15:34:38 -04:00
|
|
|
assert search(r"img-src 'self' static\.example\.com static-logos\.test\.com", csp)
|
