feat: production-harden app and finalize merge-ready UX/theme baseline
- complete tokenized theme preset system and admin style guide visibility - refine dashboard layout/scroll behavior and shared async/request UI states - add user nav-visibility settings across API, migration, and frontend stores - harden security headers/CSP handling and related test coverage - enforce CI repository hygiene + frontend contract/theme/build quality gates - update docs/env references and make migration smoke test head-aware
This commit is contained in:
parent
ab1d29b203
commit
ae2ca8f149
66 changed files with 5655 additions and 853 deletions
36
tests/unit/test_security_headers.py
Normal file
36
tests/unit/test_security_headers.py
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
from unittest.mock import AsyncMock
|
||||
|
||||
from fastapi.testclient import TestClient
|
||||
|
||||
from app.main import app
|
||||
|
||||
|
||||
def test_security_headers_are_set_for_api_responses(monkeypatch) -> None:
|
||||
monkeypatch.setattr("app.main.check_database", AsyncMock(return_value=True))
|
||||
client = TestClient(app)
|
||||
|
||||
response = client.get("/healthz")
|
||||
|
||||
assert response.status_code == 200
|
||||
assert response.headers["x-content-type-options"] == "nosniff"
|
||||
assert response.headers["x-frame-options"] == "DENY"
|
||||
assert response.headers["referrer-policy"] == "strict-origin-when-cross-origin"
|
||||
assert response.headers["cross-origin-opener-policy"] == "same-origin"
|
||||
assert response.headers["cross-origin-resource-policy"] == "same-origin"
|
||||
assert "permissions-policy" in response.headers
|
||||
assert "content-security-policy" in response.headers
|
||||
assert "script-src 'self'" in response.headers["content-security-policy"]
|
||||
assert "frame-ancestors 'none'" in response.headers["content-security-policy"]
|
||||
assert "strict-transport-security" not in response.headers
|
||||
|
||||
|
||||
def test_docs_route_uses_docs_csp_policy(monkeypatch) -> None:
|
||||
monkeypatch.setattr("app.main.check_database", AsyncMock(return_value=True))
|
||||
client = TestClient(app)
|
||||
|
||||
response = client.get("/docs")
|
||||
|
||||
assert response.status_code == 200
|
||||
csp = response.headers["content-security-policy"]
|
||||
assert "script-src 'self' 'unsafe-inline'" in csp
|
||||
assert "style-src 'self' 'unsafe-inline'" in csp
|
||||
Loading…
Add table
Add a link
Reference in a new issue