Introduction
FedRAMP tests are aimed to test the target site against FedRAMP controls. Important! None of the tests guarantee FedRAMP compliance, please review and adjust if needed.
Test Descriptions
Cypress test IDs use -CY- and Cypress files end with .cy.js. Currently, FedRAMP tests are implemented for Playwright set only.
Playwright test IDs use -PW- and Playwright files end with .spec.js.
FedRAMP tests start at ATK-XX-1200.
Test ID
File Name
Tags
Description
ATK-XX-1200
atk_rapid_login
@fedramp @multiple-logins
Multiple rapid logins via GUI. Can be seen as an atypical activity (AC-10). This test checks limiting of simultaneous sessions.
ATK-XX-1201
atk_rapid_login
@fedramp @multiple-logins
Multiple unsuccessful rapid logins via GUI. Can be seen as an atypical activity (AC-7). This test asserts that an account is blocked after more than 3 concurrent failed login attempts. Change the assertions for your organization if needed.
ATK-XX-1210
atk_cors
@fedramp @cors
Basic CORS enforcement (deny unauthorized origin)
ATK-XX-1211
atk_cors
@fedramp @cors
Preflight CORS
ATK-XX-1213
atk_cors
@fedramp @cors
Attempt POST to authenticated form endpoint without valid CSRF token and confirm it fails. Tests user edit form - a realistic CSRF attack target where authenticated user could be tricked into changing their email via malicious cross-site request.
ATK-XX-1221
atk_session
@fedramp @session-switching
Controls that the session ID is changed between users (session rotation).
ATK-XX-1222
atk_session
@fedramp @logout-correctness
Controls that after the logout session cookie is removed or invalidated.
ATK-XX-1230
atk_access
@fedramp @unauthorized-access
Resource is not under the control of Drupal. Check that 401 response for the file which is located in the web folder but doesn't have read permissions. Basically, it tests that the web application is run by a separate user.
ATK-XX-1231
atk_access
@fedramp @unauthorized-access
Resource is under the control of Drupal. For the list of resources, check that each of them gets 403 response for unauthenticated request. See AC-14.
ATK-XX-1234
atk_access
@fedramp @unauthorized-access
Resource is under the control of Drupal. For the list of resources, check that each of them gets 403 response when accessed by an authorized user without admin privilege. See AC-14.
ATK-XX-1235
atk_access
@fedramp @unauthorized-access
The private file should not be accessible by an anonymous user. (Currently, for an unpublished item only!) See AC-3 (13).
ATK-XX-1240
atk_encryption
The test ensures that secure access is forced, i.e. access to an insecure resource (http) gets redirected to the secure one (https). See SC-8 (1).
ATK-XX-1250
atk_security_headers
@fedramp @headers @security-headers @sc-7
CSP, frame-ancestors / X-Frame-Options, and other browser-enforced boundary hardening.
- HSTS → SC-8 (and/or SC-13)
- CSP → SC-7, SI-10
- X-Frame-Options / frame-ancestors → SC-7
- Referrer-Policy / Permissions-Policy → generally SC-7 (and sometimes privacy-related control families, depending on how you’re documenting)
ATK-XX-1251
atk_security_headers
@fedramp @cookies @session @session-management
This test asserts that session cookies are Secure, HttpOnly, SameSite after login.