48 lines
1.6 KiB
PHP
48 lines
1.6 KiB
PHP
<?php
|
|
|
|
use App\Services\SystemConfig\SystemConfigService;
|
|
use Illuminate\Support\Facades\Cache;
|
|
use Illuminate\Support\Facades\Route;
|
|
|
|
beforeEach(function () {
|
|
$ref = new ReflectionClass(SystemConfigService::class);
|
|
$prop = $ref->getProperty('resolvedSettings');
|
|
$prop->setAccessible(true);
|
|
$prop->setValue(null, null);
|
|
Cache::flush();
|
|
|
|
Route::middleware('web')
|
|
->get('/__sec-probe', fn () => response('ok'));
|
|
});
|
|
|
|
test('X-Content-Type-Options nosniff is present', function () {
|
|
$r = $this->get('/__sec-probe');
|
|
expect($r->headers->get('X-Content-Type-Options'))->toBe('nosniff');
|
|
});
|
|
|
|
test('X-Frame-Options SAMEORIGIN is present', function () {
|
|
$r = $this->get('/__sec-probe');
|
|
expect($r->headers->get('X-Frame-Options'))->toBe('SAMEORIGIN');
|
|
});
|
|
|
|
test('Referrer-Policy is strict-origin-when-cross-origin', function () {
|
|
$r = $this->get('/__sec-probe');
|
|
expect($r->headers->get('Referrer-Policy'))->toBe('strict-origin-when-cross-origin');
|
|
});
|
|
|
|
test('Permissions-Policy locks down camera, microphone, geolocation', function () {
|
|
$r = $this->get('/__sec-probe');
|
|
$pp = $r->headers->get('Permissions-Policy');
|
|
expect($pp)->toContain('camera=()')->toContain('microphone=()')->toContain('geolocation=()');
|
|
});
|
|
|
|
test('X-XSS-Protection header is set', function () {
|
|
$r = $this->get('/__sec-probe');
|
|
expect($r->headers->get('X-XSS-Protection'))->not->toBeNull();
|
|
});
|
|
|
|
test('HSTS is omitted over plain HTTP regardless of setting', function () {
|
|
$r = $this->get('/__sec-probe');
|
|
expect($r->headers->get('Strict-Transport-Security'))->toBeNull();
|
|
});
|