Cats

All Tests / Test 6628

Test Id

Test 6628

Test Trace Id

6de6ef6e-c7b2-4535-ae64-124c8fa9ccdf

Timestamp

Tue, 23 Jun 2026 21:40:52 GMT

Scenario

Send a happy flow request and check the following Security Headers: [X-Frame-Options/Content-Security-Policy, Cache-Control, X-Content-Type-Options, X-XSS-Protection]

Expected Result

Should return 2XX and all the above security headers within the response

Result

error

Result Details

The following keywords were detected in the response which might suggest an error details leak: [unauthorized]

Contract Path

/api/auth/mfa

Fuzzer

CheckSecurityHeaders

Full Request Path

https://qa-api.puk3p.online/api/auth/mfa

Http Method

post

Request Details

Payload

{
  "mfaToken": "GWIURWTKTJKCQMHVCVHWOEYSFT",
  "code": "191727"
}

Request Details

Headers

[
  {
    "key": "Accept",
    "value": "application/json"
  },
  {
    "key": "Content-Type",
    "value": "application/json"
  },
  {
    "key": "User-Agent",
    "value": "cats/13.8.1-SNAPSHOT (Test 6628 - CheckSecurityHeaders)"
  },
  {
    "key": "X-Cats-Trace-Id",
    "value": "6de6ef6e-c7b2-4535-ae64-124c8fa9ccdf"
  }
]

Request Details

cURL

curl  -X POST \
     -H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "User-Agent: cats/13.8.1-SNAPSHOT (Test 6628 - CheckSecurityHeaders)" \
-H "X-Cats-Trace-Id: 6de6ef6e-c7b2-4535-ae64-124c8fa9ccdf" \
 \
      -d '{"mfaToken":"GWIURWTKTJKCQMHVCVHWOEYSFT","code":"191727"}' \
      https://qa-api.puk3p.online/api/auth/mfa

Response

{
  "responseCode": 401,
  "httpMethod": "POST",
  "responseTimeInMs": "133",
  "numberOfWordsInResponse": "8",
  "numberOfLinesInResponse": "1",
  "contentLengthInBytes": "193",
  "jsonBody": {
    "timestamp": "2026-06-23T21:40:52.321823916Z",
    "status": 401,
    "error": "Unauthorized",
    "message": "Your verification session expired — sign in again",
    "path": "/api/auth/mfa",
    "validationErrors": null
  },
  "headers": [
    {
      "key": "cache-control",
      "value": "no-cache, no-store, max-age=0, must-revalidate"
    },
    {
      "key": "content-type",
      "value": "application/json"
    },
    {
      "key": "date",
      "value": "Tue, 23 Jun 2026 21:40:52 GMT"
    },
    {
      "key": "expires",
      "value": "0"
    },
    {
      "key": "pragma",
      "value": "no-cache"
    },
    {
      "key": "server",
      "value": "nginx/1.24.0 (Ubuntu)"
    },
    {
      "key": "strict-transport-security",
      "value": "max-age=31536000 ; includeSubDomains"
    },
    {
      "key": "vary",
      "value": "Origin"
    },
    {
      "key": "x-content-type-options",
      "value": "nosniff"
    },
    {
      "key": "x-frame-options",
      "value": "DENY"
    },
    {
      "key": "x-xss-protection",
      "value": "0"
    }
  ],
  "responseContentType": "application/json"
}

CATS Replay

cats replay Test6628