backend/tests/test_security_headers.py at 2026.0109.072614 · zzstoatzz.io/plyr.fm

zzstoatzz.io / plyr.fm

music on atproto plyr.fm

plyr.fm / backend / tests / test_security_headers.py

at 2026.0109.072614 1.4 kB view raw

 1"""test security headers middleware."""
 2
 3from fastapi.testclient import TestClient
 4
 5from backend.config import settings
 6
 7
 8def test_security_headers_present(client: TestClient):
 9    """verify that security headers are present in responses."""
10    response = client.get("/health")
11    assert response.status_code == 200
12
13    headers = response.headers
14
15    # check basic security headers
16    assert headers["X-Content-Type-Options"] == "nosniff"
17    assert headers["X-Frame-Options"] == "DENY"
18    assert headers["X-XSS-Protection"] == "1; mode=block"
19    assert headers["Referrer-Policy"] == "strict-origin-when-cross-origin"
20
21
22def test_hsts_header_logic(client: TestClient):
23    """verify HSTS header logic based on debug mode."""
24    # save original setting
25    original_debug = settings.app.debug
26
27    try:
28        # case 1: debug=True (default in tests) -> no HSTS
29        settings.app.debug = True
30        response = client.get("/health")
31        assert "Strict-Transport-Security" not in response.headers
32
33        # case 2: debug=False (production) -> HSTS present
34        settings.app.debug = False
35        response = client.get("/health")
36        assert (
37            response.headers["Strict-Transport-Security"]
38            == "max-age=31536000; includeSubDomains"
39        )
40
41    finally:
42        # restore setting
43        settings.app.debug = original_debug