mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-14 01:02:09 -05:00
43 lines
1.5 KiB
Python
43 lines
1.5 KiB
Python
import pytest
|
|
|
|
|
|
@pytest.mark.usefixtures("notify_db_session")
|
|
class TestSecurityHeaders:
|
|
"""Test security headers for ZAP scan compliance."""
|
|
|
|
def test_options_request_returns_204_with_cors_headers(self, client):
|
|
"""Test that OPTIONS requests return 204 with proper CORS headers."""
|
|
response = client.options("/")
|
|
|
|
assert response.status_code == 204
|
|
assert response.headers.get("Access-Control-Allow-Origin") == "*"
|
|
assert (
|
|
response.headers.get("Access-Control-Allow-Methods")
|
|
== "GET, POST, PUT, DELETE, OPTIONS"
|
|
)
|
|
assert (
|
|
response.headers.get("Access-Control-Allow-Headers")
|
|
== "Content-Type, Authorization"
|
|
)
|
|
assert response.headers.get("Access-Control-Max-Age") == "3600"
|
|
|
|
@pytest.mark.parametrize(
|
|
"endpoint",
|
|
[
|
|
"/_status",
|
|
"/_status?simple=1",
|
|
"/_status/live-service-and-organization-counts",
|
|
],
|
|
)
|
|
def test_status_endpoints_have_cache_control_headers(self, client, endpoint):
|
|
"""Test that all status endpoints have proper cache-control headers."""
|
|
response = client.get(endpoint)
|
|
|
|
assert response.status_code == 200
|
|
assert (
|
|
response.headers.get("Cache-Control")
|
|
== "no-cache, no-store, must-revalidate"
|
|
)
|
|
assert response.headers.get("Pragma") == "no-cache"
|
|
assert response.headers.get("Expires") == "0"
|