fix(security): add nonce-based CSP header to frontend route
This commit is contained in:
@@ -31,6 +31,26 @@ def test_get_client_config():
|
||||
assert isinstance(data["client_id"], str)
|
||||
assert len(data["client_id"]) > 0
|
||||
|
||||
def test_root_serves_csp_with_nonce():
|
||||
"""Test that GET / returns a CSP header with a nonce and the inline script carries it."""
|
||||
response = client.get("/")
|
||||
assert response.status_code == 200
|
||||
csp = response.headers.get("content-security-policy", "")
|
||||
assert "nonce-" in csp
|
||||
assert "script-src" in csp
|
||||
assert "cdn.jsdelivr.net" in csp
|
||||
assert "connect-src" in csp
|
||||
assert "login.infomaniak.com" in csp
|
||||
assert "api.coingecko.com" in csp
|
||||
assert "object-src 'none'" in csp
|
||||
body = response.text
|
||||
assert "<script nonce=" in body
|
||||
import re
|
||||
match = re.search(r"nonce-([A-Za-z0-9_-]+)", csp)
|
||||
assert match is not None
|
||||
nonce = match.group(1)
|
||||
assert f'nonce="{nonce}"' in body
|
||||
|
||||
@patch('main.verify_token')
|
||||
def test_validate_token_success(mock_verify_token):
|
||||
"""Test successful token validation."""
|
||||
|
||||
Reference in New Issue
Block a user