Security Tests

Write security tests that verify authentication, authorization, and data protection.

Test Creation Checklist

Authentication Testing

• Verify login succeeds with valid credentials and fails with invalid ones
• Test token expiration, refresh, and revocation flows
• Check multi-factor authentication enforcement and bypass prevention
• Validate session management (creation, timeout, invalidation)
• Test brute-force protection and account lockout mechanisms

Authorization Boundary Testing

• Verify role-based access control for all protected resources
• Test horizontal privilege escalation (accessing other users' data)
• Test vertical privilege escalation (performing admin-only actions)
• Check authorization enforcement at API layer, not just UI
• Validate that denied requests return no sensitive information in errors