Installation
Install
Section titled “Install”npm install -D @orlalabs/kovarKovar requires @playwright/test >= 1.40.0 as a peer dependency. If you don’t have Playwright installed yet:
npm install -D @playwright/testnpx playwright installReplace your Playwright import with Kovar:
// Replace this:import { test, expect } from "@playwright/test";
// With this:import { test, expect } from "@orlalabs/kovar";That’s it. Your existing tests still work, and you now have access to security matchers and the security fixture.
What You Get
Section titled “What You Get”After swapping the import, you can use:
- Security matchers on
expect()—toHaveSecureHeaders(),toHaveSecureCookies(),toBeResilientToXSS(),toBeCSRFProtected(),toHaveSecureCORS(),toRequireAuthentication(),toBeAccessible(). - The
securityfixture — programmatic access to all checks withassert()andcheck()modes. - Full audit —
security.audit()runs all checks at once and returns a structured report.
All standard Playwright APIs (page, context, request, expect) continue to work exactly as before.
Optional: Reporter
Section titled “Optional: Reporter”Add the Kovar reporter to your Playwright config for a security summary after each test run:
import { defineConfig } from "@playwright/test";
export default defineConfig({ reporter: [["list"], ["@orlalabs/kovar/reporter"]],});See Reporter for details.
Optional: Standalone API
Section titled “Optional: Standalone API”To use Kovar’s check functions outside the Playwright test runner (in scripts, CI pipelines, or custom tooling), import from the /core subpath:
import { analyzeHeaders, analyzeCookies } from "@orlalabs/kovar/core";See Standalone API for the full list of exports.
Next Steps
Section titled “Next Steps”- Follow the Quick Start guide for your first security test.
- Learn about individual checks: Headers, Cookies, XSS.