public/simple-object-server
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
22d4af7ac80e89838d9d83efe71e6a7577fef77a
simple-object-server/testing/test_security_headers.sh
Your Name 22d4af7ac8
All checks were successful
Build-Test-Publish / build (linux/amd64) (push) Successful in 1m25s
Details
Build-Test-Publish / build (linux/arm64) (push) Successful in 2m21s
Details
Build-Test-Publish / create-manifest (push) Successful in 15s
Details
docs: Add 1 and update 6 files
2025-08-10 22:50:51 +12:00

67 lines
2.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -euo pipefail
SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
URL="${1:-http://127.0.0.1:7703}"
echo "Testing security headers at $URL"
echo "======================================"
# Function to check if a header exists and print its value
check_header() {
local endpoint="$1"
local header="$2"
local expected="$3"
echo ""
echo "Testing $header on $endpoint"
# Get headers using curl -I (HEAD request) or curl -i (for full response)
response=$(curl -s -I "$URL$endpoint" 2>/dev/null || curl -s -i -X GET "$URL$endpoint" 2>/dev/null | head -n 20)
# Check if header exists (case-insensitive)
if echo "$response" | grep -qi "^$header:"; then
value=$(echo "$response" | grep -i "^$header:" | sed 's/[^:]*: *//' | tr -d '\r\n')
echo " ✓ Found: $value"
if [ ! -z "$expected" ] && [ "$value" != "$expected" ]; then
echo " WARNING: Expected '$expected'"
fi
else
echo " ✗ Missing $header"
return 1
fi
}
# Test endpoints
echo ""
echo "1. Testing /status endpoint (no auth required)"
echo "-----------------------------------------------"
check_header "/status" "X-Frame-Options" "DENY"
check_header "/status" "X-Content-Type-Options" "nosniff"
check_header "/status" "X-XSS-Protection" "1; mode=block"
check_header "/status" "Content-Security-Policy" ""
check_header "/status" "Referrer-Policy" "strict-origin-when-cross-origin"
check_header "/status" "Permissions-Policy" ""
echo ""
echo "2. Testing / endpoint (welcome page)"
echo "-------------------------------------"
check_header "/" "X-Frame-Options" "DENY"
check_header "/" "X-Content-Type-Options" "nosniff"
echo ""
echo "3. Testing authenticated endpoint /dir"
echo "---------------------------------------"
response=$(curl -s -i "$URL/dir" 2>/dev/null | head -n 30)
echo "$response" | grep -E "^(X-Frame-Options|X-Content-Type-Options|X-XSS-Protection|Content-Security-Policy|Referrer-Policy|Permissions-Policy):" || echo "Headers shown above"
echo ""
echo "4. Testing error response (404)"
echo "--------------------------------"
response=$(curl -s -i "$URL/nonexistent" 2>/dev/null | head -n 30)
echo "$response" | grep -E "^(X-Frame-Options|X-Content-Type-Options|X-XSS-Protection|Content-Security-Policy|Referrer-Policy|Permissions-Policy):" || echo "Headers shown above"
echo ""
echo "======================================"
echo "Security headers test complete"
Reference in New Issue View Git Blame Copy Permalink