apiRoutesContainingAny(['settings', 'configuration', 'config', 'frontend', 'bootstrap', 'env', 'health', 'debug']), 0, 120); $forbidden = ['APP_KEY', 'DB_PASSWORD', 'MAIL_PASSWORD', 'STRIPE_SECRET', 'PAYPAL_SECRET', 'JWT_SECRET', 'SANCTUM', 'password_hash', 'remember_token']; foreach ($routes as $route) { $method = $this->primaryMethod($route); if ($method !== 'GET') { continue; } $response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri()); $this->assertControlled($response, $method, $route->uri()); $this->assertNoServerError($response, 'secret exposure probe '.$route->uri()); $body = $response->getContent(); foreach ($forbidden as $needle) { $this->assertStringNotContainsString($needle, $body, $route->uri().' must not expose '.$needle); } } } public function test_low_privilege_users_cannot_read_sensitive_configuration_domains(): void { $routes = array_slice($this->apiRoutesContainingAny(['settings', 'configuration', 'config', 'permissions']), 0, 100); foreach ($routes as $route) { $method = $this->primaryMethod($route); $response = $this->requestAs($this->studentUser, $method, $route->uri(), $this->payloadFor($method, $route->uri())); $this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], 'student must not read/mutate sensitive configuration '.$method.' '.$route->uri()); $this->assertNoServerError($response, 'student configuration probe '.$method.' '.$route->uri()); } } }