Q5 of 24 · Security

Which security response headers should be present and how do you check them in a test?

SecurityJuniorsecuritysecurity-headerscsphstsx-frame-optionstesting

Short answer

Short answer: Key headers: Content-Security-Policy (restricts resource loading — mitigates XSS), Strict-Transport-Security (HSTS — enforces HTTPS), X-Content-Type-Options: nosniff (prevents MIME sniffing), X-Frame-Options or CSP frame-ancestors (prevents clickjacking), and Referrer-Policy. Check with a HEAD request in an API test or curl.

Detail

Each header mitigates a specific class of attack:

Content-Security-Policy (CSP): restricts which origins can load scripts, styles, images, and frames. A well-configured CSP is one of the strongest XSS mitigations because even if an attacker injects a script tag, the browser refuses to load it from an untrusted origin. Testing tip: check the CSP is present and not trivially bypassed (unsafe-inline and unsafe-eval are common weaknesses that significantly weaken the policy).

Strict-Transport-Security (HSTS): tells the browser to always use HTTPS for this domain for a specified duration. Prevents downgrade attacks. Check for max-age of at least 1 year (31536000 seconds) and ideally includeSubDomains; preload.

X-Content-Type-Options: nosniff: prevents the browser from MIME-sniffing responses — an attacker can't serve a malicious script disguised as an image and have it executed.

X-Frame-Options: deprecated in favour of CSP's frame-ancestors directive, but still widely used. DENY or SAMEORIGIN prevents your page from being loaded in an iframe on another domain (clickjacking mitigation).

Referrer-Policy: controls how much referrer information is sent with requests. no-referrer-when-downgrade or strict-origin-when-cross-origin prevents leaking sensitive URL parameters to third parties.

// EXAMPLE

security-headers.test.ts

test('homepage has required security headers', async ({ request }) => {
  const response = await request.get('https://example.com/');
  const headers = response.headers();

  expect(headers['strict-transport-security']).toMatch(/max-age=d+/);
  expect(headers['x-content-type-options']).toBe('nosniff');
  expect(headers['content-security-policy']).toBeTruthy();
  expect(headers['referrer-policy']).toBeTruthy();
});

// WHAT INTERVIEWERS LOOK FOR

Can name at least four headers and the specific attack each mitigates. Knows how to assert them in an API test.