Test for HTTP security headers - adjust headers and urls appropriately - see https://securityheaders.com

build_and_run.sh

docker build -t http_header_test .

docker run -it --rm --name http_header_test_run http_header_test

Dockerfile

FROM python:3.7.3-alpine3.9

WORKDIR /usr/src/app

COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt

COPY . .

CMD [ "python", "./http_header_test.py" ] 

http_header_test.py

import unittest
import requests

from unittest import TestCase
# Known to be a good citizen, replace this with your endpoint
HTTP_URL = "https://fated.org/" 
    
class TestHttpHeaders(TestCase):

    def test_httpheader_values(self):
      response = requests.get(HTTP_URL)
      # These HTTP headers should be set to these explicit values
      REQUIRED_VALUES = {
        'X-Frame-Options': 'SAMEORIGIN',
        'Strict-Transport-Security':'max-age=31536000',
        'X-Content-Type-Options': 'nosniff',
        'X-XSS-Protection': '1; mode=block'
      }    
      self.assertDictContainsSubset(REQUIRED_VALUES, response.headers)
     
    def test_httpheader_keys(self):
      response = requests.get(HTTP_URL)
      # These HTTP headers should be present but the values are up to the implementation/team
      REQUIRED_HEADER_KEYS = [
        'Content-Security-Policy',
        'Referrer-Policy',
        'Feature-Policy']
      actual_header_keys = list(response.headers.keys()) 
      for header in REQUIRED_HEADER_KEYS:
        self.assertIn(header, actual_header_keys)


if __name__ == '__main__':
    unittest.main()

requirements.txt

requests==2.21.0