if (preg_match('/^max-age=(\d+)(;.*)?$/', $transportSecurityValidity, $m)) {
$transportSecurityValidity = (int)$m[1];
if ($transportSecurityValidity < $minimumSeconds) {
$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds, $transportSecurityValidity])."\n";
}
} elseif (!empty($transportSecurityValidity)) {
$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is malformed: `%s`. For enhanced security, it is recommended to enable HSTS.', [$transportSecurityValidity])."\n";
} else {
$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set (should be at least `%d` seconds). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds])."\n";
}
if (!empty($msg)) {
return SetupResult::warning($this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg, descriptionParameters:$msgParameters);
return SetupResult::warning(
$this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg,
@ -161,6 +164,9 @@ class SecurityHeadersTest extends TestCase {
'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
'hsts-missing' => [['Strict-Transport-Security' => ''], "- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.\n"],
'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to enable HSTS.\n"],
'hsts-malformed' => [['Strict-Transport-Security' => 'iAmABogusHeader342'], "- The `Strict-Transport-Security` HTTP header is malformed: `iAmABogusHeader342`. For enhanced security, it is recommended to enable HSTS.\n"],
msg:t('core','The "Strict-Transport-Security" HTTP header is not set to at least "{seconds}" seconds. For enhanced security, it is recommended to enable HSTS as described in the {linkstart}security tips ↗{linkend}.',{'seconds':minimumSeconds})
it('should return a SSL warning if SSL used without Strict-Transport-Security-Header',function(done){
protocolStub.returns('https');
varasync=OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200,
{
'X-XSS-Protection':'1; mode=block',
'X-Content-Type-Options':'nosniff',
'X-Robots-Tag':'noindex, nofollow',
'X-Frame-Options':'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies':'none',
'Referrer-Policy':'no-referrer',
}
);
async.done(function(data,s,x){
expect(data).toEqual([{
msg:'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
type:OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
});
});
it('should return a SSL warning if SSL used with to small Strict-Transport-Security-Header',function(done){
protocolStub.returns('https');
varasync=OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200,
{
'Strict-Transport-Security':'max-age=15551999',
'X-XSS-Protection':'1; mode=block',
'X-Content-Type-Options':'nosniff',
'X-Robots-Tag':'noindex, nofollow',
'X-Frame-Options':'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies':'none',
'Referrer-Policy':'no-referrer',
}
);
async.done(function(data,s,x){
expect(data).toEqual([{
msg:'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
type:OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
});
});
it('should return a SSL warning if SSL used with to a bogus Strict-Transport-Security-Header',function(done){
protocolStub.returns('https');
varasync=OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200,
{
'Strict-Transport-Security':'iAmABogusHeader342',
'X-XSS-Protection':'1; mode=block',
'X-Content-Type-Options':'nosniff',
'X-Robots-Tag':'noindex, nofollow',
'X-Frame-Options':'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies':'none',
'Referrer-Policy':'no-referrer',
}
);
async.done(function(data,s,x){
expect(data).toEqual([{
msg:'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.example.org/admin-security">security tips ↗</a>.',
type:OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
});
});
it('should return no SSL warning if SSL used with to exact the minimum Strict-Transport-Security-Header',function(done){
protocolStub.returns('https');
varasync=OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200,{
'Strict-Transport-Security':'max-age=15768000',
'X-XSS-Protection':'1; mode=block',
'X-Content-Type-Options':'nosniff',
'X-Robots-Tag':'noindex, nofollow',
'X-Frame-Options':'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies':'none',
'Referrer-Policy':'no-referrer',
});
async.done(function(data,s,x){
expect(data).toEqual([]);
done();
});
});
it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header',function(done){
protocolStub.returns('https');
varasync=OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200,{
'Strict-Transport-Security':'max-age=99999999',
'X-XSS-Protection':'1; mode=block',
'X-Content-Type-Options':'nosniff',
'X-Robots-Tag':'noindex, nofollow',
'X-Frame-Options':'SAMEORIGIN',
'X-Permitted-Cross-Domain-Policies':'none',
'Referrer-Policy':'no-referrer',
});
async.done(function(data,s,x){
expect(data).toEqual([]);
done();
});
});
it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains parameter',function(done){
it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains and preload parameter',function(done){