diff options
| author | Côme Chilliet <come.chilliet@nextcloud.com> | 2024-03-14 11:49:47 +0100 |
|---|---|---|
| committer | Côme Chilliet <come.chilliet@nextcloud.com> | 2024-03-14 11:49:47 +0100 |
| commit | 6278cf181ea90f550ff712a9850495b794b0dcf4 (patch) | |
| tree | f67aa4198dfa58c62f348a5e42ce84b7f103fe6b /apps/settings | |
| parent | 58ae7e4b28e8a5c34b817efec53a81f092903415 (diff) | |
| download | nextcloud-server-6278cf181ea90f550ff712a9850495b794b0dcf4.tar.gz nextcloud-server-6278cf181ea90f550ff712a9850495b794b0dcf4.zip | |
fix: Improve HSTS warning wording as suggested by reviewer
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat (limited to 'apps/settings')
| -rw-r--r-- | apps/settings/lib/SetupChecks/SecurityHeaders.php | 2 | ||||
| -rw-r--r-- | apps/settings/tests/SetupChecks/SecurityHeadersTest.php | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php index f1d66188744..f62c4c55308 100644 --- a/apps/settings/lib/SetupChecks/SecurityHeaders.php +++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php @@ -119,7 +119,7 @@ class SecurityHeaders implements ISetupCheck { if (preg_match('/^max-age=(\d+)(;.*)?$/', $transportSecurityValidity, $m)) { $transportSecurityValidity = (int)$m[1]; if ($transportSecurityValidity < $minimumSeconds) { - $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds, $transportSecurityValidity])."\n"; + $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to use a long HSTS policy.', [$minimumSeconds, $transportSecurityValidity])."\n"; } } elseif (!empty($transportSecurityValidity)) { $msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is malformed: `%s`. For enhanced security, it is recommended to enable HSTS.', [$transportSecurityValidity])."\n"; diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php index 0856cca38ca..fb8eb757460 100644 --- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php +++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php @@ -165,7 +165,7 @@ class SecurityHeadersTest extends TestCase { 'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'hsts-missing' => [['Strict-Transport-Security' => ''], "- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.\n"], - 'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to enable HSTS.\n"], + 'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to use a long HSTS policy.\n"], 'hsts-malformed' => [['Strict-Transport-Security' => 'iAmABogusHeader342'], "- The `Strict-Transport-Security` HTTP header is malformed: `iAmABogusHeader342`. For enhanced security, it is recommended to enable HSTS.\n"], ]; } |