diff options
| author | Côme Chilliet <come.chilliet@nextcloud.com> | 2024-03-12 16:38:32 +0100 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-03-13 12:49:52 +0100 |
| commit | 9f819f311f6182f864486dae61284d94117222f8 (patch) | |
| tree | 7d0b4392b60dd306ce01c097a9a106746e6baaed /apps/settings/tests/SetupChecks | |
| parent | d7193ef65e14e3d240e9942e0630f96c7125f8f3 (diff) | |
| download | nextcloud-server-9f819f311f6182f864486dae61284d94117222f8.tar.gz nextcloud-server-9f819f311f6182f864486dae61284d94117222f8.zip | |
feat: Migrate HSTS check to Security headers SetupCheck
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'apps/settings/tests/SetupChecks')
| -rw-r--r-- | apps/settings/tests/SetupChecks/SecurityHeadersTest.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php index 4f3304a081d..0856cca38ca 100644 --- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php +++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php @@ -120,6 +120,9 @@ class SecurityHeadersTest extends TestCase { 'referrer-strict-origin' => [['Referrer-Policy' => 'strict-origin']], 'referrer-strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']], 'referrer-same-origin' => [['Referrer-Policy' => 'same-origin']], + 'hsts-minimum' => [['Strict-Transport-Security' => 'max-age=15552000']], + 'hsts-include-subdomains' => [['Strict-Transport-Security' => 'max-age=99999999; includeSubDomains']], + 'hsts-include-subdomains-preload' => [['Strict-Transport-Security' => 'max-age=99999999; preload; includeSubDomains']], ]; } @@ -161,6 +164,9 @@ class SecurityHeadersTest extends TestCase { 'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], + 'hsts-missing' => [['Strict-Transport-Security' => ''], "- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.\n"], + 'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to enable HSTS.\n"], + 'hsts-malformed' => [['Strict-Transport-Security' => 'iAmABogusHeader342'], "- The `Strict-Transport-Security` HTTP header is malformed: `iAmABogusHeader342`. For enhanced security, it is recommended to enable HSTS.\n"], ]; } |