tests/app/test_security_headers.py

import pytest


@pytest.mark.usefixtures('notify_db_session')
class TestSecurityHeaders:
    """Test security headers for ZAP scan compliance."""

    def test_options_request_returns_204_with_cors_headers(self, client):
        """Test that OPTIONS requests return 204 with proper CORS headers."""
        response = client.options('/')

        assert response.status_code == 204
        assert response.headers.get('Access-Control-Allow-Origin') == '*'
        assert response.headers.get('Access-Control-Allow-Methods') == 'GET, POST, PUT, DELETE, OPTIONS'
        assert response.headers.get('Access-Control-Allow-Headers') == 'Content-Type, Authorization'
        assert response.headers.get('Access-Control-Max-Age') == '3600'

    @pytest.mark.parametrize("endpoint", [
        '/_status',
        '/_status?simple=1',
        '/_status/live-service-and-organization-counts'
    ])
    def test_status_endpoints_have_cache_control_headers(self, client, endpoint):
        """Test that all status endpoints have proper cache-control headers."""
        response = client.get(endpoint)

        assert response.status_code == 200
        assert response.headers.get('Cache-Control') == 'no-cache, no-store, must-revalidate'
        assert response.headers.get('Pragma') == 'no-cache'
        assert response.headers.get('Expires') == '0'
Made changes for zap scans 2025-07-31 10:50:55 -04:00			`import pytest`


			`@pytest.mark.usefixtures('notify_db_session')`
			`class TestSecurityHeaders:`
			`"""Test security headers for ZAP scan compliance."""`

			`def test_options_request_returns_204_with_cors_headers(self, client):`
			`"""Test that OPTIONS requests return 204 with proper CORS headers."""`
			`response = client.options('/')`

			`assert response.status_code == 204`
			`assert response.headers.get('Access-Control-Allow-Origin') == '*'`
			`assert response.headers.get('Access-Control-Allow-Methods') == 'GET, POST, PUT, DELETE, OPTIONS'`
			`assert response.headers.get('Access-Control-Allow-Headers') == 'Content-Type, Authorization'`
			`assert response.headers.get('Access-Control-Max-Age') == '3600'`

			`@pytest.mark.parametrize("endpoint", [`
			`'/_status',`
			`'/_status?simple=1',`
			`'/_status/live-service-and-organization-counts'`
			`])`
			`def test_status_endpoints_have_cache_control_headers(self, client, endpoint):`
			`"""Test that all status endpoints have proper cache-control headers."""`
			`response = client.get(endpoint)`

			`assert response.status_code == 200`
			`assert response.headers.get('Cache-Control') == 'no-cache, no-store, must-revalidate'`
			`assert response.headers.get('Pragma') == 'no-cache'`
			`assert response.headers.get('Expires') == '0'`