Skip to content

test(server): add CSP header assertions for non-HTML endpoints (fixes #216)#257

Open
khaines wants to merge 1 commit into
mainfrom
fix/216-csp-nonhtml
Open

test(server): add CSP header assertions for non-HTML endpoints (fixes #216)#257
khaines wants to merge 1 commit into
mainfrom
fix/216-csp-nonhtml

Conversation

@khaines

@khaines khaines commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Addresses #216

CSP security headers were set by middleware on all routes but only tested on HTML pages. Added CSP header assertions for 9 routes across:

Route Test Type
/nonexistent-page TestCSPOn404 HTML error
/ TestCSPDirectiveCompleteness HTML
/feed.xml TestCSPOnFeedXML XML
/sitemap.xml TestCSPOnSitemapXML XML
/healthz TestCSPOnHealthzEndpoint REST
/readyz TestCSPOnReadyzEndpoint REST
/metrics TestCSPViaMiddlewareOnMetricsServer Prometheus
/:1 (main server) TestCSPOnSeparateMetricsPort HTML
/:1 (metrics server) TestCSPViaMiddlewareOnMetricsServer Prometheus

All tests assert Content-Security-Policy and Permissions-Policy headers are present.

CI Status

All checks green ✅

…216)

Addresses #216 — CSP headers missing on non-HTML responses.

CSP security headers were set by middleware on all routes but only
tested on HTML pages. Added CSP header assertions for:

- /feed.xml (XML) ✅
- /sitemap.xml (XML) ✅
- /healthz (REST) ✅
- /readyz (REST) ✅
- /metrics (dedicated port) ✅
- / (HTML) ✅
- /404 (HTML error) ✅

All 9 routes now verify CSP headers match the security policy.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant