diff --git a/apps/core/tests/test_security.py b/apps/core/tests/test_security.py index edc5ab8..78836c6 100644 --- a/apps/core/tests/test_security.py +++ b/apps/core/tests/test_security.py @@ -2,6 +2,9 @@ import re import pytest +from apps.blog.models import ArticleIndexPage, ArticlePage +from apps.blog.tests.factories import AuthorFactory + @pytest.mark.django_db def test_security_headers_present(client, home_page): @@ -11,6 +14,8 @@ def test_security_headers_present(client, home_page): assert "Permissions-Policy" in resp assert "unsafe-inline" not in resp["Content-Security-Policy"] assert "script-src" in resp["Content-Security-Policy"] + assert resp["X-Frame-Options"] == "SAMEORIGIN" + assert "strict-origin-when-cross-origin" in resp["Referrer-Policy"] @pytest.mark.django_db @@ -22,3 +27,40 @@ def test_csp_nonce_applied_to_inline_script(client, home_page): nonce = match.group(1) html = resp.content.decode() assert f'nonce="{nonce}"' in html + + +@pytest.mark.django_db +def test_robots_disallows_cms_and_contains_sitemap(client): + resp = client.get("/robots.txt") + body = resp.content.decode() + assert resp.status_code == 200 + assert "Disallow: /cms/" in body + assert "Sitemap:" in body + + +@pytest.mark.django_db +def test_admin_obscured_path_redirects_to_cms(client): + resp = client.get("/admin/") + assert resp.status_code == 302 + assert resp["Location"] == "/cms/" + + +@pytest.mark.django_db +def test_article_comment_form_contains_csrf_token(client, home_page): + index = ArticleIndexPage(title="Articles", slug="articles") + home_page.add_child(instance=index) + author = AuthorFactory() + article = ArticlePage( + title="CSRF Article", + slug="csrf-article", + author=author, + summary="summary", + body=[("rich_text", "

Body

")], + ) + index.add_child(instance=article) + article.save_revision().publish() + + resp = client.get("/articles/csrf-article/") + html = resp.content.decode() + assert resp.status_code == 200 + assert "csrfmiddlewaretoken" in html