artem.kokos/ignis-core
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
85c840ba1bf27224aff6d84e31e1eb56efc0a143
ignis-core/tests/test_p1_ui_security.py
Artem Kokos 0fd64307b7 Harden UI security and add deployment templates
2026-05-16 11:22:02 +07:00

53 lines
2.1 KiB
Python
Raw Blame History

import os
import unittest
from pathlib import Path
from httpx import ASGITransport, AsyncClient
MASTER_KEY = "master-secret-for-ui-tests"
os.environ["IGNIS_API_KEY"] = MASTER_KEY
import main # noqa: E402
class UiSecurityTests(unittest.IsolatedAsyncioTestCase):
async def asyncSetUp(self):
self.client = AsyncClient(
transport=ASGITransport(app=main.app),
base_url="http://testserver",
)
async def asyncTearDown(self):
await self.client.aclose()
async def test_root_sets_security_headers(self):
response = await self.client.get("/")
self.assertEqual(response.status_code, 200)
self.assertEqual(response.headers["cache-control"], "no-store")
self.assertEqual(response.headers["pragma"], "no-cache")
self.assertEqual(response.headers["referrer-policy"], "no-referrer")
self.assertEqual(response.headers["x-content-type-options"], "nosniff")
self.assertEqual(response.headers["x-frame-options"], "DENY")
self.assertIn("default-src 'self'", response.headers["content-security-policy"])
self.assertIn("script-src 'self' 'unsafe-eval'", response.headers["content-security-policy"])
self.assertIn(
"style-src 'self' 'unsafe-inline'",
response.headers["content-security-policy"],
)
async def test_static_ui_uses_only_local_assets_and_session_storage(self):
index_html = Path("static/index.html").read_text(encoding="utf-8")
app_js = Path("static/app.js").read_text(encoding="utf-8")
self.assertIn('/static/vendor/tailwindcdn.js', index_html)
self.assertIn('/static/ui.css', index_html)
self.assertIn('/static/vendor/vue.global.prod.js', index_html)
self.assertIn('/static/app.js', index_html)
self.assertNotIn("https://unpkg.com", index_html)
self.assertNotIn("https://cdn.tailwindcss.com", index_html)
self.assertNotIn("https://fonts.googleapis.com", index_html)
self.assertNotIn("localStorage", index_html)
self.assertNotIn("localStorage", app_js)
self.assertIn("sessionStorage", app_js)
Reference in New Issue View Git Blame Copy Permalink