Last active
October 28, 2015 19:25
-
-
Save garethr/9c4f4c87910e33cff4d1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import unittest | |
| import urllib | |
| #URL_TO_TEST = 'https://example.com/' | |
| URL_TO_TEST = 'https://securityheaders.com/' | |
| class TestSecurityHeaders(unittest.TestCase): | |
| """ | |
| Tests for security headers based on the recommendations | |
| from https://securityheaders.com/ | |
| """ | |
| def setUp(self): | |
| self.response = urllib.urlopen(URL_TO_TEST) | |
| def test_valid_response(self): | |
| self.assertEqual(self.response.code, 200) | |
| def test_for_a_content_security_policy(self): | |
| self.assertTrue('content-security-policy' in self.response.headers.keys()) | |
| def test_for_a_strict_transport_security_policy(self): | |
| self.assertTrue('strict-transport-security' in self.response.headers.keys()) | |
| def test_not_revealing_powered_by_technology(self): | |
| self.assertFalse('x-powered-by' in self.response.headers.keys()) | |
| def test_not_revealing_server_technology(self): | |
| self.assertFalse('server' in self.response.headers.keys()) | |
| def test_not_allowing_anyone_to_load_content(self): | |
| header = self.response.headers.get('access-control-allow-origin') | |
| self.assertNotEqual(header, '*') | |
| def test_for_a_sensible_xss_policy(self): | |
| header = self.response.headers.get('x-xss-protection') | |
| self.assertEqual(header, '1; mode=block') | |
| def test_for_clickjacking_protection(self): | |
| header = self.response.headers.get('x-frame-options') | |
| self.assertEqual(header, 'SAMEORIGIN') | |
| def test_for_mime_guessing_disabled(self): | |
| header = self.response.headers.get('x-content-type-options') | |
| self.assertEqual(header, 'nosniff') | |
| def test_preventing_cross_domain_loading(self): | |
| header = self.response.headers.get('x-permitted-cross-domain-policies') | |
| self.assertEqual(header, 'master-only') | |
| if __name__ == '__main__': | |
| unittest.main() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import unittest | |
| import urllib | |
| #URL_TO_TEST = 'https://example.com/' | |
| URL_TO_TEST = 'https://securityheaders.com/' | |
| class TestSecurityHeaders(unittest.TestCase): | |
| """ | |
| Tests for security headers based on the recommendations | |
| from https://securityheaders.com/ | |
| """ | |
| def setUp(self): | |
| self.response = urllib.urlopen(URL_TO_TEST) | |
| def test_valid_response(self): | |
| self.assertEqual(self.response.code, 200) | |
| def test_for_a_content_security_policy(self): | |
| self.assertTrue('content-security-policy' in self.response.headers.keys()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment