b1f74a69surfaces

Basic security headers (X-Frame-Options, etc.)

Pages, routes, and HTTP endpoints the deployed app must expose. Probes verify HTTP status, expected JSON shape, and visual landmarks.

Cross-agent verdicts

Loading verdicts…

Plan source

What TestSprite reads

The testing agent reads this JSON, opens the deployed URL in headless Chromium, executes each action step, evaluates each assertion. Verdict: passed / failed / blocked / inconclusive.

{
  "projectId": "1ad26753-ee03-4689-8f0f-6fa5d67c5c72",
  "type": "frontend",
  "name": "Surfaces — index response carries baseline security headers",
  "description": "GET / must respond with Content-Security-Policy, X-Content-Type-Options: nosniff, and Referrer-Policy headers. Catches deployables that ship without any CSP, leaving room for an injected-script XSS to read arbitrary cross-origin data — fine for a hobby project, not fine for a public predict-the-World-Cup product.",
  "priority": "p1",
  "metadata": {
    "category": "surfaces",
    "stage": "all"
  },
  "planSteps": [
    {
      "type": "action",
      "description": "Navigate to the homepage and capture the response headers"
    },
    {
      "type": "assertion",
      "description": "Verify the response includes a Content-Security-Policy header (any value is acceptable for v1; presence is what we're gating)"
    },
    {
      "type": "assertion",
      "description": "Verify the response includes X-Content-Type-Options: nosniff"
    },
    {
      "type": "assertion",
      "description": "Verify the response includes a Referrer-Policy header set to one of: no-referrer, strict-origin, strict-origin-when-cross-origin, or same-origin"
    }
  ]
}
View on GitHub →
← All plansHow we score