Postmantesting~15 mins

Security header validation in Postman - Build an Automation Script

Choose your learning style9 modes available

Learn Why Deep Trace Try Challenge Automate Recall Frame

Validate security headers in API response

Preconditions (2)

Step 1: Send a GET request to the API endpoint https://api.example.com/data

Step 2: Inspect the response headers

Step 3: Verify that the following security headers are present:

Step 4: - Content-Security-Policy

Step 5: - X-Content-Type-Options

Step 6: - Strict-Transport-Security

Step 7: - X-Frame-Options

Step 8: - Referrer-Policy

Step 9: Verify that each header has the expected value:

Step 10: - Content-Security-Policy: default-src 'self'

Step 11: - X-Content-Type-Options: nosniff

Step 12: - Strict-Transport-Security: max-age=31536000; includeSubDomains

Step 13: - X-Frame-Options: DENY

Step 14: - Referrer-Policy: no-referrer

✅ Expected Result: All listed security headers are present in the response with the exact expected values.

Automation Requirements - Postman Tests (JavaScript)

Assertions Needed:

Response headers contain Content-Security-Policy with value "default-src 'self'"

Response headers contain X-Content-Type-Options with value "nosniff"

Response headers contain Strict-Transport-Security with value "max-age=31536000; includeSubDomains"

Response headers contain X-Frame-Options with value "DENY"

Response headers contain Referrer-Policy with value "no-referrer"

Best Practices:

Use pm.response.headers.get() to access headers

Use strict equality checks for header values

Write clear assertion messages

Keep test code readable and maintainable

Automated Solution

Postman

pm.test('Validate Content-Security-Policy header', () => {
    const csp = pm.response.headers.get('Content-Security-Policy');
    pm.expect(csp).to.eql("default-src 'self'");
});

pm.test('Validate X-Content-Type-Options header', () => {
    const xcto = pm.response.headers.get('X-Content-Type-Options');
    pm.expect(xcto).to.eql('nosniff');
});

pm.test('Validate Strict-Transport-Security header', () => {
    const sts = pm.response.headers.get('Strict-Transport-Security');
    pm.expect(sts).to.eql('max-age=31536000; includeSubDomains');
});

pm.test('Validate X-Frame-Options header', () => {
    const xfo = pm.response.headers.get('X-Frame-Options');
    pm.expect(xfo).to.eql('DENY');
});

pm.test('Validate Referrer-Policy header', () => {
    const rp = pm.response.headers.get('Referrer-Policy');
    pm.expect(rp).to.eql('no-referrer');
});

This Postman test script checks each required security header individually.

Each pm.test block names the header it validates for clarity.

We use pm.response.headers.get() to get the header value by name.

The pm.expect(...).to.eql(...) assertion checks that the header value exactly matches the expected string.

This approach ensures clear, maintainable tests that will fail if any header is missing or has an incorrect value.

Common Mistakes - 4 Pitfalls

Using case-sensitive header names incorrectly

Using loose equality (==) instead of strict equality (=== or to.eql)

Not checking for header presence before asserting value

Hardcoding header values without verifying actual server response

Bonus Challenge

Now add data-driven testing with 3 different API endpoints to validate security headers on each.

Show Hint