25 lines
696 B
Python
25 lines
696 B
Python
import re
|
|
|
|
import pytest
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_security_headers_present(client, home_page):
|
|
resp = client.get("/")
|
|
assert resp.status_code == 200
|
|
assert "Content-Security-Policy" in resp
|
|
assert "Permissions-Policy" in resp
|
|
assert "unsafe-inline" not in resp["Content-Security-Policy"]
|
|
assert "script-src" in resp["Content-Security-Policy"]
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_csp_nonce_applied_to_inline_script(client, home_page):
|
|
resp = client.get("/")
|
|
csp = resp["Content-Security-Policy"]
|
|
match = re.search(r"nonce-([^' ;]+)", csp)
|
|
assert match
|
|
nonce = match.group(1)
|
|
html = resp.content.decode()
|
|
assert f'nonce="{nonce}"' in html
|