import { buildContentSecurityPolicy, createNonce } from '@/lib/security/csp'; import { describe, expect, it } from 'vitest'; describe('CSP foundation', () => { it('generates unpredictable nonce-shaped values', () => { const first = createNonce(); const second = createNonce(); expect(first).toMatch(/^[a-f0-9]{32}$/); expect(second).not.toBe(first); }); it('allows development evaluation only in development', () => { expect(buildContentSecurityPolicy('abc', true)).toContain("'unsafe-eval'"); expect(buildContentSecurityPolicy('abc', false)).not.toContain("'unsafe-eval'"); expect(buildContentSecurityPolicy('abc', false)).toContain("'nonce-abc'"); expect(buildContentSecurityPolicy('abc', false)).toContain("style-src 'self' 'nonce-abc'"); expect(buildContentSecurityPolicy('abc', false)).not.toContain("'unsafe-inline'"); expect(buildContentSecurityPolicy('abc', false)).toContain("frame-ancestors 'none'"); }); });