From 75f541549ae8bfde718c3b2ea04bb1384947d030 Mon Sep 17 00:00:00 2001
From: Spencer Peace <47868304+Spencer6497@users.noreply.github.com>
Date: Tue, 7 Jan 2025 17:30:43 +0100
Subject: [PATCH] chore(Add more security e2e tests) (#1573)

* add security tests

* add security test to mobile test ignores

---------

Co-authored-by: chris <christoph.hohnerlein@digitalservice.bund.de>
---
 playwright.config.ts              |  6 +++-
 tests/e2e/common/security.spec.ts | 52 +++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 tests/e2e/common/security.spec.ts

diff --git a/playwright.config.ts b/playwright.config.ts
index fa74b8d35..96cb95a05 100644
--- a/playwright.config.ts
+++ b/playwright.config.ts
@@ -62,7 +62,11 @@ export default defineConfig({
       name: "Mobile Android",
       use: { ...devices["Galaxy S8"] },
       // Already covered in primary device tests
-      testIgnore: ["**/accessibilityScans.spec.ts", "**/csrf.spec.ts"],
+      testIgnore: [
+        "**/accessibilityScans.spec.ts",
+        "**/csrf.spec.ts",
+        "**/security.spec.ts",
+      ],
     },
   ],
 
diff --git a/tests/e2e/common/security.spec.ts b/tests/e2e/common/security.spec.ts
new file mode 100644
index 000000000..cdab19ef1
--- /dev/null
+++ b/tests/e2e/common/security.spec.ts
@@ -0,0 +1,52 @@
+import { test, expect } from "@playwright/test";
+import { defaultHeaders } from "~/rootHeaders";
+
+const expectedHeaders = {
+  ...defaultHeaders,
+  "Cache-Control": "no-store",
+  Connection: "keep-alive",
+  "Content-Encoding": "gzip",
+  "Content-Type": "text/html; charset=utf-8",
+  "Transfer-Encoding": "chunked",
+  Vary: "Accept-Encoding",
+};
+
+test.describe("Security Tests", () => {
+  test("The server should send a response including the correct response headers", async ({
+    page,
+  }) => {
+    const response = await page.request.get("/");
+    await expect(response).toBeOK();
+    Object.entries(expectedHeaders)
+      .map(([key, val]) => [key.toLocaleLowerCase(), val])
+      .forEach(([key, expectedVal]) => {
+        const actualValue = response.headers()[key];
+        const responseHasExpectedHeader = actualValue === expectedVal;
+        if (!responseHasExpectedHeader) {
+          // eslint-disable-next-line no-console
+          console.warn(
+            `Header ${key} was expected to be ${expectedVal} but instead was ${actualValue}`,
+          );
+        }
+        expect(responseHasExpectedHeader).toBe(true);
+      });
+  });
+
+  test("Invalid HTTP operations should yield an error", async ({ page }) => {
+    const postResponse = await page.request.post("/");
+    await expect(postResponse).not.toBeOK();
+    expect(postResponse.status()).toBe(405);
+
+    const putResponse = await page.request.put("/");
+    await expect(putResponse).not.toBeOK();
+    expect(putResponse.status()).toBe(405);
+
+    const deleteResponse = await page.request.delete("/");
+    await expect(deleteResponse).not.toBeOK();
+    expect(deleteResponse.status()).toBe(405);
+
+    const patchResponse = await page.request.patch("/");
+    await expect(patchResponse).not.toBeOK();
+    expect(patchResponse.status()).toBe(405);
+  });
+});