` block in the layout (the FOUC handler) * must be stamped with that same nonce so it can execute under the * stricter policy. `'unsafe-inline'` and `'unsafe-eval'` must not appear * anywhere in `script-src`. */ final class CspHeaderTest extends AppTestCase { protected function setUp(): void { $this->bootApp(); } public function testLoginPageCarriesStrictCsp(): void { $response = $this->request('GET', '/login'); self::assertSame(200, $response->getStatusCode()); $csp = $response->getHeaderLine('Content-Security-Policy'); self::assertNotSame('', $csp, 'CSP header must be set'); self::assertStringNotContainsString("'unsafe-inline'", self::scriptSrc($csp)); self::assertStringNotContainsString("'unsafe-eval'", self::scriptSrc($csp)); self::assertMatchesRegularExpression( "/script-src 'self' 'nonce-[A-Za-z0-9_-]+'/", $csp, ); } public function testInlineScriptCarriesMatchingNonce(): void { $response = $this->request('GET', '/login'); $body = (string) $response->getBody(); self::assertMatchesRegularExpression( '/