From 8f70ec4bb92d904e17c4ff0a225a382bda7e289e Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 5 Sep 2025 13:57:08 +0200
Subject: [PATCH 1/2] add test for dg25-19

---
 .../tests/integration/api/auth.rs              | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/crates/defguard_core/tests/integration/api/auth.rs b/crates/defguard_core/tests/integration/api/auth.rs
index c6f29abd6c..2c13d9c45b 100644
--- a/crates/defguard_core/tests/integration/api/auth.rs
+++ b/crates/defguard_core/tests/integration/api/auth.rs
@@ -32,6 +32,24 @@ pub struct RecoveryCodes {
     codes: Option<Vec<String>>,
 }
 
+#[sqlx::test]
+async fn dg25_19_clickjacking_vulnerability(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+
+    let client = make_client(pool).await;
+
+    let response = client.get("/").send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    let headers = response.headers();
+    let csp_header = headers.get("content-security-policy").unwrap();
+    let csp_value = csp_header.to_str().unwrap();
+    assert!(
+        csp_value.contains("frame-ancestors 'none'"),
+        "CSP header should block all iframes with 'none' directive"
+    );
+}
+
 #[sqlx::test]
 async fn test_logout(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;

From 7e14a41ad7c79fe8f7a2555eb9ca8f7385d76a85 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 5 Sep 2025 14:12:54 +0200
Subject: [PATCH 2/2] tests don't have frontend built

---
 crates/defguard_core/tests/integration/api/auth.rs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/crates/defguard_core/tests/integration/api/auth.rs b/crates/defguard_core/tests/integration/api/auth.rs
index 2c13d9c45b..c483b3e200 100644
--- a/crates/defguard_core/tests/integration/api/auth.rs
+++ b/crates/defguard_core/tests/integration/api/auth.rs
@@ -39,8 +39,6 @@ async fn dg25_19_clickjacking_vulnerability(_: PgPoolOptions, options: PgConnect
     let client = make_client(pool).await;
 
     let response = client.get("/").send().await;
-    assert_eq!(response.status(), StatusCode::OK);
-
     let headers = response.headers();
     let csp_header = headers.get("content-security-policy").unwrap();
     let csp_value = csp_header.to_str().unwrap();