mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73992 Commits
428 Branches
Tree: 733a818139
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '733a818139'
${ noResults }
nextcloud/apps/settings/lib/SetupChecks/SecurityHeaders.php

SecurityHeaders.php 6.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160 
  1. <?php

  2. 

  3. declare(strict_types=1);

  4. 

  5. /**

  6.  * @copyright Copyright (c) 2023 Côme Chilliet <come.chilliet@nextcloud.com>

  7.  *

  8.  * @author Côme Chilliet <come.chilliet@nextcloud.com>

  9.  *

  10.  * @license GNU AGPL version 3 or any later version

  11.  *

  12.  * This program is free software: you can redistribute it and/or modify

  13.  * it under the terms of the GNU Affero General Public License as

  14.  * published by the Free Software Foundation, either version 3 of the

  15.  * License, or (at your option) any later version.

  16.  *

  17.  * This program is distributed in the hope that it will be useful,

  18.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  19.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  20.  * GNU Affero General Public License for more details.

  21.  *

  22.  * You should have received a copy of the GNU Affero General Public License

  23.  * along with this program. If not, see <http://www.gnu.org/licenses/>.

  24.  *

  25.  */

  26. 

  27. namespace OCA\Settings\SetupChecks;

  28. 

  29. use OCP\Http\Client\IClientService;

  30. use OCP\IConfig;

  31. use OCP\IL10N;

  32. use OCP\IURLGenerator;

  33. use OCP\SetupCheck\ISetupCheck;

  34. use OCP\SetupCheck\SetupResult;

  35. use Psr\Log\LoggerInterface;

  36. 

  37. class SecurityHeaders implements ISetupCheck {

  38. 

  39. 	use CheckServerResponseTrait;

  40. 

  41. 	public function __construct(

  42. 		protected IL10N $l10n,

  43. 		protected IConfig $config,

  44. 		protected IURLGenerator $urlGenerator,

  45. 		protected IClientService $clientService,

  46. 		protected LoggerInterface $logger,

  47. 	) {

  48. 	}

  49. 

  50. 	public function getCategory(): string {

  51. 		return 'security';

  52. 	}

  53. 

  54. 	public function getName(): string {

  55. 		return $this->l10n->t('HTTP headers');

  56. 	}

  57. 

  58. 	public function run(): SetupResult {

  59. 		$urls = [

  60. 			['get', $this->urlGenerator->linkToRoute('heartbeat'), [200]],

  61. 		];

  62. 		$securityHeaders = [

  63. 			'X-Content-Type-Options' => ['nosniff', null],

  64. 			'X-Robots-Tag' => ['noindex,nofollow', null],

  65. 			'X-Frame-Options' => ['sameorigin', 'deny'],

  66. 			'X-Permitted-Cross-Domain-Policies' => ['none', null],

  67. 		];

  68. 

  69. 		foreach ($urls as [$verb,$url,$validStatuses]) {

  70. 			$works = null;

  71. 			foreach ($this->runRequest($verb, $url, ['httpErrors' => false]) as $response) {

  72. 				// Check that the response status matches

  73. 				if (!in_array($response->getStatusCode(), $validStatuses)) {

  74. 					$works = false;

  75. 					continue;

  76. 				}

  77. 				$msg = '';

  78. 				$msgParameters = [];

  79. 				foreach ($securityHeaders as $header => [$expected, $accepted]) {

  80. 					/* Convert to lowercase and remove spaces after comas */

  81. 					$value = preg_replace('/,\s+/', ',', strtolower($response->getHeader($header)));

  82. 					if ($value !== $expected) {

  83. 						if ($accepted !== null && $value === $accepted) {

  84. 							$msg .= $this->l10n->t('- The `%1$s` HTTP header is not set to `%2$s`. Some features might not work correctly, as it is recommended to adjust this setting accordingly.', [$header, $expected])."\n";

  85. 						} else {

  86. 							$msg .= $this->l10n->t('- The `%1$s` HTTP header is not set to `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', [$header, $expected])."\n";

  87. 						}

  88. 					}

  89. 				}

  90. 

  91. 				$xssfields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection')));

  92. 				if (!in_array('1', $xssfields) || !in_array('mode=block', $xssfields)) {

  93. 					$msg .= $this->l10n->t('- The `%1$s` HTTP header does not contain `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block'])."\n";

  94. 				}

  95. 

  96. 				$referrerPolicy = $response->getHeader('Referrer-Policy');

  97. 				if (!preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) {

  98. 					$msg .= $this->l10n->t(

  99. 						'- The `%1$s` HTTP header is not set to `%2$s`, `%3$s`, `%4$s`, `%5$s` or `%6$s`. This can leak referer information. See the {w3c-recommendation}.',

  100. 						[

  101. 							'Referrer-Policy',

  102. 							'no-referrer',

  103. 							'no-referrer-when-downgrade',

  104. 							'strict-origin',

  105. 							'strict-origin-when-cross-origin',

  106. 							'same-origin',

  107. 						]

  108. 					)."\n";

  109. 					$msgParameters['w3c-recommendation'] = [

  110. 						'type' => 'highlight',

  111. 						'id' => 'w3c-recommendation',

  112. 						'name' => 'W3C Recommendation',

  113. 						'link' => 'https://www.w3.org/TR/referrer-policy/',

  114. 					];

  115. 				}

  116. 

  117. 				$transportSecurityValidity = $response->getHeader('Strict-Transport-Security');

  118. 				$minimumSeconds = 15552000;

  119. 				if (preg_match('/^max-age=(\d+)(;.*)?$/', $transportSecurityValidity, $m)) {

  120. 					$transportSecurityValidity = (int)$m[1];

  121. 					if ($transportSecurityValidity < $minimumSeconds) {

  122. 						$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to use a long HSTS policy.', [$minimumSeconds, $transportSecurityValidity])."\n";

  123. 					}

  124. 				} elseif (!empty($transportSecurityValidity)) {

  125. 					$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is malformed: `%s`. For enhanced security, it is recommended to enable HSTS.', [$transportSecurityValidity])."\n";

  126. 				} else {

  127. 					$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set (should be at least `%d` seconds). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds])."\n";

  128. 				}

  129. 

  130. 				if (!empty($msg)) {

  131. 					return SetupResult::warning(

  132. 						$this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg,

  133. 						$this->urlGenerator->linkToDocs('admin-security'),

  134. 						$msgParameters,

  135. 					);

  136. 				}

  137. 				// Skip the other requests if one works

  138. 				$works = true;

  139. 				break;

  140. 			}

  141. 			// If 'works' is null then we could not connect to the server

  142. 			if ($works === null) {

  143. 				return SetupResult::info(

  144. 					$this->l10n->t('Could not check that your web server serves security headers correctly. Please check manually.'),

  145. 					$this->urlGenerator->linkToDocs('admin-security'),

  146. 				);

  147. 			}

  148. 			// Otherwise if we fail we can abort here

  149. 			if ($works === false) {

  150. 				return SetupResult::warning(

  151. 					$this->l10n->t("Could not check that your web server serves security headers correctly, unable to query `%s`", [$url]),

  152. 					$this->urlGenerator->linkToDocs('admin-security'),

  153. 				);

  154. 			}

  155. 		}

  156. 		return SetupResult::success(

  157. 			$this->l10n->t('Your server is correctly configured to send security headers.')

  158. 		);

  159. 	}

  160. }