Challenge - 5 Problems

🎖️

Security Header Validation Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ assertion

intermediate

2:00remaining

Validate Content-Security-Policy Header Presence

You want to write a Postman test to check if the Content-Security-Policy header is present in the response.

Which assertion code snippet correctly verifies this?

Apm.test('Content-Security-Policy header is present', () => { pm.response.to.have.header('Content-Security-Policy'); });

Bpm.test('Content-Security-Policy header is present', () => { pm.response.headers.has('Content-Security-Policy'); });

Cpm.test('Content-Security-Policy header is present', () => { pm.expect(pm.response.headers.get('Content-Security-Policy')).to.exist; });

Dpm.test('Content-Security-Policy header is present', () => { pm.response.to.have.property('Content-Security-Policy'); });

Attempts:

2 left

❓ Predict Output

intermediate

2:00remaining

Output of Postman Test Checking X-Frame-Options Value

What is the test result when running this Postman test if the response header X-Frame-Options has the value DENY?

pm.test('X-Frame-Options is DENY', () => {
  pm.expect(pm.response.headers.get('X-Frame-Options')).to.eql('DENY');
});

Postman

pm.test('X-Frame-Options is DENY', () => {
  pm.expect(pm.response.headers.get('X-Frame-Options')).to.eql('DENY');
});

ATest throws TypeError

BTest fails with AssertionError

CTest passes successfully

DTest is skipped

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Identify the Error in Postman Test for Strict-Transport-Security

Review this Postman test code snippet. It is intended to check if the Strict-Transport-Security header contains max-age=31536000. What error will occur when running this test?

pm.test('HSTS max-age check', () => {
  const hsts = pm.response.headers.get('Strict-Transport-Security');
  pm.expect(hsts.includes('max-age=31536000')).to.be.true;
});

Postman

pm.test('HSTS max-age check', () => {
  const hsts = pm.response.headers.get('Strict-Transport-Security');
  pm.expect(hsts.includes('max-age=31536000')).to.be.true;
});

ATypeError: Cannot read property 'includes' of null

BNo error, test passes

CSyntaxError: Unexpected token '.'

DAssertionError: expected false to be true

Attempts:

2 left

🧠 Conceptual

advanced

2:00remaining

Best Practice for Validating Multiple Security Headers in Postman

You want to validate that the response contains these security headers with correct values:

Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer

Which approach is best to write these validations in Postman tests?

AWrite a single assertion that checks if the response headers object has length 3

BWrite one <code>pm.test</code> block that asserts all headers together using multiple <code>pm.expect</code> calls

CCheck only one header and assume others are correct

DWrite separate <code>pm.test</code> blocks for each header with specific assertions

Attempts:

2 left

❓ framework

expert

3:00remaining

Automating Security Header Validation Across Multiple Environments in Postman

You have multiple environments (dev, staging, production) with different base URLs. You want to automate security header validation tests in Postman so they run on all environments without duplicating test scripts.

Which method best achieves this goal?

AManually run tests in each environment and save separate collections for each

BUse Postman Collection variables for base URLs and write tests once in the collection's test scripts

CCopy the same test scripts into each environment's pre-request scripts

DWrite environment-specific tests inside each request's test tab

Attempts:

2 left