tests/app/main/views/test_headers.py


def test_owasp_useful_headers_set(app_):
    with app_.test_request_context():
        response = app_.test_client().get('/')
    assert response.status_code == 200
    assert response.headers['X-Frame-Options'] == 'deny'
    assert response.headers['X-Content-Type-Options'] == 'nosniff'
    assert response.headers['X-XSS-Protection'] == '1; mode=block'
    assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; script-src 'self' *.google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' *.google-analytics.com data:;"  # noqa
Add some useful owasp suggested headers 2016-01-07 13:58:38 +00:00
Tests added for dao. 2016-01-15 15:15:35 +00:00			`def test_owasp_useful_headers_set(app_):`
			`with app_.test_request_context():`
			`response = app_.test_client().get('/')`
Add some useful owasp suggested headers 2016-01-07 13:58:38 +00:00			`assert response.status_code == 200`
			`assert response.headers['X-Frame-Options'] == 'deny'`
			`assert response.headers['X-Content-Type-Options'] == 'nosniff'`
			`assert response.headers['X-XSS-Protection'] == '1; mode=block'`
Add Google Analytics https://www.pivotaltracker.com/story/show/115861923 Makes some changes to the content security policy, to allow the Google Analytics JS and trakcing image to be loaded, copied from @alexmuller’s excellent work on GOV.UK: https://gdstechnology.blog.gov.uk/2015/02/12/experimenting-with-content-security-policy-on-gov-uk/ https://github.com/alphagov/frontend/pull/733 2016-03-18 14:49:53 +00:00			`assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; script-src 'self' .google-analytics.com 'unsafe-inline' data:; object-src 'self'; font-src 'self' data:; img-src 'self' .google-analytics.com data:;" # noqa`