Puppeteer Security Testing

Add 250+ security checks to your Puppeteer browser automation. Detect XSS vectors, CSP issues, insecure cookies, and more - with the same API you already know.

Quick Start with Puppeteer

1. Install QAstell

npm install qastell puppeteer

2. Add Security Auditing to Your Script

import puppeteer from 'puppeteer';
import { SecurityAuditor } from 'qastell';

const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto('https://your-app.com');

// Run 250+ security checks
const auditor = new SecurityAuditor(page);
await auditor.assertNoViolations();

await browser.close();

3. Run Your Script

node your-script.js

Complete Puppeteer Example

Here's a comprehensive example showing security auditing with Puppeteer:

import puppeteer from 'puppeteer';
import { SecurityAuditor } from 'qastell';
import * as fs from 'fs';

async function runSecurityAudit() {
  const browser = await puppeteer.launch({
    headless: 'new',
  });

  try {
    const page = await browser.newPage();

    // Navigate to your app
    await page.goto('https://your-app.com', {
      waitUntil: 'networkidle0',
    });

    // Run security audit
    const auditor = new SecurityAuditor(page);
    const results = await auditor.audit();

    // Log summary
    console.log(`Security audit complete:`);
    console.log(`  Total issues: ${results.summary.total}`);
    console.log(`  Critical: ${results.summary.bySeverity.critical}`);
    console.log(`  High: ${results.summary.bySeverity.high}`);

    // Generate HTML report
    fs.writeFileSync('security-report.html', results.toHTML());

    // Fail if critical issues found
    if (results.summary.bySeverity.critical > 0) {
      process.exit(1);
    }

  } finally {
    await browser.close();
  }
}

runSecurityAudit();

Puppeteer-Specific Features

Works with Puppeteer Core

QAstell works with both puppeteer and puppeteer-core:

// With puppeteer (bundled Chromium)
import puppeteer from 'puppeteer';
const browser = await puppeteer.launch();

// With puppeteer-core (bring your own browser)
import puppeteer from 'puppeteer-core';
const browser = await puppeteer.launch({
  executablePath: '/path/to/chrome',
});

// Same SecurityAuditor API for both
const page = await browser.newPage();
const auditor = new SecurityAuditor(page);

Using with Jest

Integrate security checks into your Jest test suite:

import puppeteer, { Browser, Page } from 'puppeteer';
import { SecurityAuditor } from 'qastell';

describe('Security Tests', () => {
  let browser: Browser;
  let page: Page;

  beforeAll(async () => {
    browser = await puppeteer.launch();
  });

  beforeEach(async () => {
    page = await browser.newPage();
  });

  afterEach(async () => {
    await page.close();
  });

  afterAll(async () => {
    await browser.close();
  });

  test('homepage passes security audit', async () => {
    await page.goto('https://your-app.com');
    const auditor = new SecurityAuditor(page);
    await auditor.assertNoViolations();
  });
});

Multi-Page Crawling

Audit multiple pages in a single session:

async function auditSite(urls: string[]) {
  const browser = await puppeteer.launch();
  const page = await browser.newPage();
  const allResults = [];

  for (const url of urls) {
    await page.goto(url, { waitUntil: 'networkidle0' });

    const auditor = new SecurityAuditor(page);
    const results = await auditor.audit();

    allResults.push({ url, results });
    console.log(`${url}: ${results.summary.total} issues`);
  }

  await browser.close();
  return allResults;
}

Headless Mode Options

QAstell works with all Puppeteer headless modes:

// New headless mode (recommended)
const browser = await puppeteer.launch({
  headless: 'new',
});

// Classic headless mode
const browser = await puppeteer.launch({
  headless: true,
});

// Headed mode (for debugging)
const browser = await puppeteer.launch({
  headless: false,
});

Integration with Jest Config

If you're using Jest with Puppeteer, set up the license globally in your Jest setup file:

// jest.setup.js or setupFilesAfterEnv
import { initLicense } from 'qastell';

// Initialize license once before all tests
initLicense(process.env.QASTELL_LICENSE);

Then reference it in your Jest config:

// jest.config.js
module.exports = {
  setupFilesAfterEnv: ['./jest.setup.js'],
  // ... other config
};

Or initialize directly in a test file:

// security.test.js
import puppeteer from 'puppeteer';
import { SecurityAuditor, initLicense } from 'qastell';

// Initialize once at module load
initLicense(process.env.QASTELL_LICENSE);

describe('Security Tests', () => {
  // ... your tests
});

Force Framework Detection

If you're using custom page wrappers and auto-detection fails, you can force Puppeteer mode:

const auditor = new SecurityAuditor(page, { framework: 'puppeteer' });

// Verify the detected framework
console.log(auditor.getFramework()); // 'puppeteer'

What Gets Checked

QAstell runs 250+ security checks across these categories when using Puppeteer:

• Security Headers - CSP, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy
• Cookies - HttpOnly, Secure, SameSite flags on sensitive cookies
• Forms - CSRF tokens, autocomplete on sensitive fields, action URLs
• Links - Missing rel="noopener", javascript: URLs
• DOM Security - Inline handlers, DOM clobbering, prototype pollution
• Secrets - API keys, tokens in HTML, comments, localStorage
• Mixed Content - HTTP resources on HTTPS pages
• And 40+ more categories...

Next Steps

• CI/CD integration (recommended)
• Advanced configuration options
• Configure category filtering
• Set up severity thresholds
• Generate HTML/JSON/JUnit/SARIF reports
• View pricing plans