diff --git a/requirements.txt b/requirements.txt
index f21b489..ef4362c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,4 @@
 Flask==3.0.3 
 numpy==1.26.4 
-python-dateutil==2.9.0.post0 
\ No newline at end of file
+python-dateutil==2.9.0.post0 
+pytest==8.2.2 
\ No newline at end of file
diff --git a/test_app.py b/test_app.py
new file mode 100644
index 0000000..2d47c61
--- /dev/null
+++ b/test_app.py
@@ -0,0 +1,42 @@
+import os
+import pytest
+from app import app as flask_app
+
+@pytest.fixture
+def client():
+    flask_app.config['TESTING'] = True
+    with flask_app.test_client() as client:
+        yield client
+
+def test_homepage(client):
+    resp = client.get('/')
+    assert resp.status_code == 200
+    assert b'Elpatrons Datumsrechner' in resp.data
+
+def test_tage_berechnung(client):
+    resp = client.post('/', data={
+        'action': 'tage',
+        'start1': '2024-01-01',
+        'end1': '2024-01-10'
+    })
+    assert resp.status_code == 200
+    assert b'Anzahl der Tage' in resp.data
+    assert b'9' in resp.data
+
+def test_xss_protection(client):
+    # Versuche ein Skript einzuschleusen
+    xss = '<script>alert(1)</script>'
+    resp = client.post('/', data={
+        'action': 'tage',
+        'start1': xss,
+        'end1': '2024-01-10'
+    })
+    assert resp.status_code == 200
+    # Das Skript darf nicht im HTML erscheinen (sollte escaped sein)
+    assert b'<script>alert(1)</script>' not in resp.data
+    assert b'&lt;script&gt;alert(1)&lt;/script&gt;' in resp.data
+
+def test_stats_login_required(client):
+    resp = client.get('/stats')
+    assert resp.status_code == 200
+    assert b'Dashboard Login' in resp.data 
\ No newline at end of file