getJson('/api/v1/'); $response->assertHeader('Content-Security-Policy'); } public function test_api_csp_is_restrictive(): void { $response = $this->getJson('/api/v1/'); $csp = $response->headers->get('Content-Security-Policy'); $this->assertStringContainsString("default-src 'none'", $csp); $this->assertStringContainsString("frame-ancestors 'none'", $csp); } public function test_csp_header_matches_config(): void { $expectedCsp = config('security.csp'); $response = $this->getJson('/api/v1/'); $response->assertHeader('Content-Security-Policy', $expectedCsp); } public function test_report_only_mode_uses_report_only_header(): void { config(['security.csp_report_only' => true]); $response = $this->getJson('/api/v1/'); $response->assertHeader('Content-Security-Policy-Report-Only'); $this->assertNull($response->headers->get('Content-Security-Policy')); } public function test_no_csp_header_when_policy_is_null(): void { config(['security.csp' => null]); $response = $this->getJson('/api/v1/'); $this->assertNull($response->headers->get('Content-Security-Policy')); $this->assertNull($response->headers->get('Content-Security-Policy-Report-Only')); } public function test_no_csp_header_when_policy_is_empty(): void { config(['security.csp' => '']); $response = $this->getJson('/api/v1/'); $this->assertNull($response->headers->get('Content-Security-Policy')); $this->assertNull($response->headers->get('Content-Security-Policy-Report-Only')); } }