2016-01-07 13:58:38 +00:00
|
|
|
|
2017-02-03 12:07:21 +00:00
|
|
|
def test_owasp_useful_headers_set(client):
|
|
|
|
|
response = client.get('/')
|
2016-01-07 13:58:38 +00:00
|
|
|
assert response.status_code == 200
|
|
|
|
|
assert response.headers['X-Frame-Options'] == 'deny'
|
|
|
|
|
assert response.headers['X-Content-Type-Options'] == 'nosniff'
|
|
|
|
|
assert response.headers['X-XSS-Protection'] == '1; mode=block'
|
2016-07-05 07:12:21 +01:00
|
|
|
assert response.headers['Content-Security-Policy'] == (
|
|
|
|
|
"default-src 'self' 'unsafe-inline';"
|
2016-10-05 10:55:04 +01:00
|
|
|
"script-src 'self' *.google-analytics.com 'unsafe-inline' 'unsafe-eval' data:;"
|
2016-07-05 07:12:21 +01:00
|
|
|
"object-src 'self';"
|
|
|
|
|
"font-src 'self' data:;"
|
2016-10-05 10:55:04 +01:00
|
|
|
"img-src 'self' *.google-analytics.com *.notifications.service.gov.uk data:;"
|
2017-01-23 16:25:11 +00:00
|
|
|
"frame-src www.youtube.com;"
|
2016-07-05 07:12:21 +01:00
|
|
|
)
|