What is Security header validation in Postman?

Postmantesting~5 mins

Security header validation in Postman

Choose your learning style9 modes available

Learn Why Deep Trace Try Challenge Automate Recall Frame

Introduction

Security header validation helps ensure that web responses include important headers that protect users from attacks. It checks if these headers are present and correctly set.

When testing a website to confirm it uses security headers like Content-Security-Policy or X-Frame-Options.

When verifying that a web API response includes headers to prevent cross-site scripting or clickjacking.

When performing security testing to meet compliance or security standards.

When checking if recent security fixes have been applied to HTTP headers.

When automating tests to catch missing or incorrect security headers in continuous integration.

Syntax

Postman

pm.test('Header Name is present', function () {
    pm.response.to.have.header('Header-Name');
});
pm.test('Header Name has correct value', function () {
    pm.expect(pm.response.headers.get('Header-Name')).to.eql('Expected-Value');
});

Use pm.response.to.have.header() to check if a header exists.

Use pm.expect() with pm.response.headers.get() to check header values.

Examples

This test checks if the Content-Security-Policy header is included in the response.

Postman

pm.test('Content-Security-Policy header is present', function () {
    pm.response.to.have.header('Content-Security-Policy');
});

This test verifies that the X-Frame-Options header is set to DENY, which prevents clickjacking.

Postman

pm.test('X-Frame-Options header has value DENY', function () {
    pm.expect(pm.response.headers.get('X-Frame-Options')).to.eql('DENY');
});

This test confirms the Strict-Transport-Security header contains the max-age directive to enforce HTTPS.

Postman

pm.test('Strict-Transport-Security header includes max-age', function () {
    const sts = pm.response.headers.get('Strict-Transport-Security');
    pm.expect(sts).to.include('max-age');
});

Sample Program

This Postman test script checks three important security headers: Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security. It verifies their presence and correct values to help protect the web application.

Postman

pm.test('Security headers validation', function () {
    pm.response.to.have.header('Content-Security-Policy');
    pm.expect(pm.response.headers.get('Content-Security-Policy')).to.eql("default-src 'self'");

    pm.response.to.have.header('X-Frame-Options');
    pm.expect(pm.response.headers.get('X-Frame-Options')).to.eql('DENY');

    pm.response.to.have.header('Strict-Transport-Security');
    const sts = pm.response.headers.get('Strict-Transport-Security');
    pm.expect(sts).to.include('max-age=31536000');
});

OutputSuccess

Important Notes

Always check for both presence and correct values of security headers.

Header names are case-insensitive but use the exact spelling for clarity.

Security headers help protect users from common web attacks like XSS and clickjacking.

Summary

Security header validation ensures important HTTP headers exist and have correct values.

Use Postman tests to automate checking headers like Content-Security-Policy and X-Frame-Options.

This helps keep web applications safer and compliant with security best practices.