mirror of
https://github.com/GSA/notifications-api.git
synced 2026-07-19 14:04:20 -04:00
Made changes for zap scans
This commit is contained in:
30
tests/app/test_security_headers.py
Normal file
30
tests/app/test_security_headers.py
Normal file
@@ -0,0 +1,30 @@
|
||||
import pytest
|
||||
|
||||
|
||||
@pytest.mark.usefixtures('notify_db_session')
|
||||
class TestSecurityHeaders:
|
||||
"""Test security headers for ZAP scan compliance."""
|
||||
|
||||
def test_options_request_returns_204_with_cors_headers(self, client):
|
||||
"""Test that OPTIONS requests return 204 with proper CORS headers."""
|
||||
response = client.options('/')
|
||||
|
||||
assert response.status_code == 204
|
||||
assert response.headers.get('Access-Control-Allow-Origin') == '*'
|
||||
assert response.headers.get('Access-Control-Allow-Methods') == 'GET, POST, PUT, DELETE, OPTIONS'
|
||||
assert response.headers.get('Access-Control-Allow-Headers') == 'Content-Type, Authorization'
|
||||
assert response.headers.get('Access-Control-Max-Age') == '3600'
|
||||
|
||||
@pytest.mark.parametrize("endpoint", [
|
||||
'/_status',
|
||||
'/_status?simple=1',
|
||||
'/_status/live-service-and-organization-counts'
|
||||
])
|
||||
def test_status_endpoints_have_cache_control_headers(self, client, endpoint):
|
||||
"""Test that all status endpoints have proper cache-control headers."""
|
||||
response = client.get(endpoint)
|
||||
|
||||
assert response.status_code == 200
|
||||
assert response.headers.get('Cache-Control') == 'no-cache, no-store, must-revalidate'
|
||||
assert response.headers.get('Pragma') == 'no-cache'
|
||||
assert response.headers.get('Expires') == '0'
|
||||
Reference in New Issue
Block a user