assertHeader('X-Frame-Options', 'DENY') ->assertHeader('X-Content-Type-Options', 'nosniff') ->assertHeader('Referrer-Policy', 'strict-origin-when-cross-origin'); expect($response->headers->get('Content-Security-Policy'))->toContain("default-src 'self'"); });