mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-17 02:32:32 -05:00
31 lines
1.3 KiB
Python
31 lines
1.3 KiB
Python
import pytest
|
|
|
|
|
|
@pytest.mark.usefixtures('notify_db_session')
|
|
class TestSecurityHeaders:
|
|
"""Test security headers for ZAP scan compliance."""
|
|
|
|
def test_options_request_returns_204_with_cors_headers(self, client):
|
|
"""Test that OPTIONS requests return 204 with proper CORS headers."""
|
|
response = client.options('/')
|
|
|
|
assert response.status_code == 204
|
|
assert response.headers.get('Access-Control-Allow-Origin') == '*'
|
|
assert response.headers.get('Access-Control-Allow-Methods') == 'GET, POST, PUT, DELETE, OPTIONS'
|
|
assert response.headers.get('Access-Control-Allow-Headers') == 'Content-Type, Authorization'
|
|
assert response.headers.get('Access-Control-Max-Age') == '3600'
|
|
|
|
@pytest.mark.parametrize("endpoint", [
|
|
'/_status',
|
|
'/_status?simple=1',
|
|
'/_status/live-service-and-organization-counts'
|
|
])
|
|
def test_status_endpoints_have_cache_control_headers(self, client, endpoint):
|
|
"""Test that all status endpoints have proper cache-control headers."""
|
|
response = client.get(endpoint)
|
|
|
|
assert response.status_code == 200
|
|
assert response.headers.get('Cache-Control') == 'no-cache, no-store, must-revalidate'
|
|
assert response.headers.get('Pragma') == 'no-cache'
|
|
assert response.headers.get('Expires') == '0'
|