Merge pull request #44067 from nextcloud/fix/migrate-header-check-to-setupcheck

Migrate header check to setupcheck API

8 files changed, 398 insertions, 11 deletions

diff --git a/apps/settings/composer/composer/autoload_classmap.php b/apps/settings/composer/composer/autoload_classmap.php
index b9709c8ad28..17e47f62a7d 100644
--- a/apps/settings/composer/composer/autoload_classmap.php
+++ b/apps/settings/composer/composer/autoload_classmap.php
@@ -117,6 +117,7 @@ return array(
     'OCA\\Settings\\SetupChecks\\PushService' => $baseDir . '/../lib/SetupChecks/PushService.php',
     'OCA\\Settings\\SetupChecks\\RandomnessSecure' => $baseDir . '/../lib/SetupChecks/RandomnessSecure.php',
     'OCA\\Settings\\SetupChecks\\ReadOnlyConfig' => $baseDir . '/../lib/SetupChecks/ReadOnlyConfig.php',
+    'OCA\\Settings\\SetupChecks\\SecurityHeaders' => $baseDir . '/../lib/SetupChecks/SecurityHeaders.php',
     'OCA\\Settings\\SetupChecks\\SupportedDatabase' => $baseDir . '/../lib/SetupChecks/SupportedDatabase.php',
     'OCA\\Settings\\SetupChecks\\SystemIs64bit' => $baseDir . '/../lib/SetupChecks/SystemIs64bit.php',
     'OCA\\Settings\\SetupChecks\\TempSpaceAvailable' => $baseDir . '/../lib/SetupChecks/TempSpaceAvailable.php',
diff --git a/apps/settings/composer/composer/autoload_static.php b/apps/settings/composer/composer/autoload_static.php
index 67808ad23f2..1dccc69b923 100644
--- a/apps/settings/composer/composer/autoload_static.php
+++ b/apps/settings/composer/composer/autoload_static.php
@@ -132,6 +132,7 @@ class ComposerStaticInitSettings
         'OCA\\Settings\\SetupChecks\\PushService' => __DIR__ . '/..' . '/../lib/SetupChecks/PushService.php',
         'OCA\\Settings\\SetupChecks\\RandomnessSecure' => __DIR__ . '/..' . '/../lib/SetupChecks/RandomnessSecure.php',
         'OCA\\Settings\\SetupChecks\\ReadOnlyConfig' => __DIR__ . '/..' . '/../lib/SetupChecks/ReadOnlyConfig.php',
+        'OCA\\Settings\\SetupChecks\\SecurityHeaders' => __DIR__ . '/..' . '/../lib/SetupChecks/SecurityHeaders.php',
         'OCA\\Settings\\SetupChecks\\SupportedDatabase' => __DIR__ . '/..' . '/../lib/SetupChecks/SupportedDatabase.php',
         'OCA\\Settings\\SetupChecks\\SystemIs64bit' => __DIR__ . '/..' . '/../lib/SetupChecks/SystemIs64bit.php',
         'OCA\\Settings\\SetupChecks\\TempSpaceAvailable' => __DIR__ . '/..' . '/../lib/SetupChecks/TempSpaceAvailable.php',
diff --git a/apps/settings/lib/AppInfo/Application.php b/apps/settings/lib/AppInfo/Application.php
index 0977da398b0..9f7ec3036f4 100644
--- a/apps/settings/lib/AppInfo/Application.php
+++ b/apps/settings/lib/AppInfo/Application.php
@@ -86,6 +86,7 @@ use OCA\Settings\SetupChecks\PhpOutputBuffering;
 use OCA\Settings\SetupChecks\PushService;
 use OCA\Settings\SetupChecks\RandomnessSecure;
 use OCA\Settings\SetupChecks\ReadOnlyConfig;
+use OCA\Settings\SetupChecks\SecurityHeaders;
 use OCA\Settings\SetupChecks\SupportedDatabase;
 use OCA\Settings\SetupChecks\SystemIs64bit;
 use OCA\Settings\SetupChecks\TempSpaceAvailable;
@@ -214,6 +215,7 @@ class Application extends App implements IBootstrap {
 		$context->registerSetupCheck(PhpOutputBuffering::class);
 		$context->registerSetupCheck(RandomnessSecure::class);
 		$context->registerSetupCheck(ReadOnlyConfig::class);
+		$context->registerSetupCheck(SecurityHeaders::class);
 		$context->registerSetupCheck(SupportedDatabase::class);
 		$context->registerSetupCheck(SystemIs64bit::class);
 		$context->registerSetupCheck(TempSpaceAvailable::class);
diff --git a/apps/settings/lib/SetupChecks/OcxProviders.php b/apps/settings/lib/SetupChecks/OcxProviders.php
index d24f2843829..f387fe23a32 100644
--- a/apps/settings/lib/SetupChecks/OcxProviders.php
+++ b/apps/settings/lib/SetupChecks/OcxProviders.php
@@ -68,7 +68,7 @@ class OcxProviders implements ISetupCheck {
 		];
 
 		foreach ($providers as $provider) {
-			foreach ($this->runHEAD($this->urlGenerator->getWebroot() . $provider) as $response) {
+			foreach ($this->runRequest('HEAD', $this->urlGenerator->getWebroot() . $provider, ['httpErrors' => false]) as $response) {
 				$testedProviders[$provider] = true;
 				if ($response->getStatusCode() === 200) {
 					$workingProviders[] = $provider;
diff --git a/apps/settings/lib/SetupChecks/SecurityHeaders.php b/apps/settings/lib/SetupChecks/SecurityHeaders.php
new file mode 100644
index 00000000000..f62c4c55308
--- /dev/null
+++ b/apps/settings/lib/SetupChecks/SecurityHeaders.php
@@ -0,0 +1,160 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2023 Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @author Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Settings\SetupChecks;
+
+use OCP\Http\Client\IClientService;
+use OCP\IConfig;
+use OCP\IL10N;
+use OCP\IURLGenerator;
+use OCP\SetupCheck\ISetupCheck;
+use OCP\SetupCheck\SetupResult;
+use Psr\Log\LoggerInterface;
+
+class SecurityHeaders implements ISetupCheck {
+
+	use CheckServerResponseTrait;
+
+	public function __construct(
+		protected IL10N $l10n,
+		protected IConfig $config,
+		protected IURLGenerator $urlGenerator,
+		protected IClientService $clientService,
+		protected LoggerInterface $logger,
+	) {
+	}
+
+	public function getCategory(): string {
+		return 'security';
+	}
+
+	public function getName(): string {
+		return $this->l10n->t('HTTP headers');
+	}
+
+	public function run(): SetupResult {
+		$urls = [
+			['get', $this->urlGenerator->linkToRoute('heartbeat'), [200]],
+		];
+		$securityHeaders = [
+			'X-Content-Type-Options' => ['nosniff', null],
+			'X-Robots-Tag' => ['noindex,nofollow', null],
+			'X-Frame-Options' => ['sameorigin', 'deny'],
+			'X-Permitted-Cross-Domain-Policies' => ['none', null],
+		];
+
+		foreach ($urls as [$verb,$url,$validStatuses]) {
+			$works = null;
+			foreach ($this->runRequest($verb, $url, ['httpErrors' => false]) as $response) {
+				// Check that the response status matches
+				if (!in_array($response->getStatusCode(), $validStatuses)) {
+					$works = false;
+					continue;
+				}
+				$msg = '';
+				$msgParameters = [];
+				foreach ($securityHeaders as $header => [$expected, $accepted]) {
+					/* Convert to lowercase and remove spaces after comas */
+					$value = preg_replace('/,\s+/', ',', strtolower($response->getHeader($header)));
+					if ($value !== $expected) {
+						if ($accepted !== null && $value === $accepted) {
+							$msg .= $this->l10n->t('- The `%1$s` HTTP header is not set to `%2$s`. Some features might not work correctly, as it is recommended to adjust this setting accordingly.', [$header, $expected])."\n";
+						} else {
+							$msg .= $this->l10n->t('- The `%1$s` HTTP header is not set to `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', [$header, $expected])."\n";
+						}
+					}
+				}
+
+				$xssfields = array_map('trim', explode(';', $response->getHeader('X-XSS-Protection')));
+				if (!in_array('1', $xssfields) || !in_array('mode=block', $xssfields)) {
+					$msg .= $this->l10n->t('- The `%1$s` HTTP header does not contain `%2$s`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', ['X-XSS-Protection', '1; mode=block'])."\n";
+				}
+
+				$referrerPolicy = $response->getHeader('Referrer-Policy');
+				if (!preg_match('/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/', $referrerPolicy)) {
+					$msg .= $this->l10n->t(
+						'- The `%1$s` HTTP header is not set to `%2$s`, `%3$s`, `%4$s`, `%5$s` or `%6$s`. This can leak referer information. See the {w3c-recommendation}.',
+						[
+							'Referrer-Policy',
+							'no-referrer',
+							'no-referrer-when-downgrade',
+							'strict-origin',
+							'strict-origin-when-cross-origin',
+							'same-origin',
+						]
+					)."\n";
+					$msgParameters['w3c-recommendation'] = [
+						'type' => 'highlight',
+						'id' => 'w3c-recommendation',
+						'name' => 'W3C Recommendation',
+						'link' => 'https://www.w3.org/TR/referrer-policy/',
+					];
+				}
+
+				$transportSecurityValidity = $response->getHeader('Strict-Transport-Security');
+				$minimumSeconds = 15552000;
+				if (preg_match('/^max-age=(\d+)(;.*)?$/', $transportSecurityValidity, $m)) {
+					$transportSecurityValidity = (int)$m[1];
+					if ($transportSecurityValidity < $minimumSeconds) {
+						$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set to at least `%d` seconds (current value: `%d`). For enhanced security, it is recommended to use a long HSTS policy.', [$minimumSeconds, $transportSecurityValidity])."\n";
+					}
+				} elseif (!empty($transportSecurityValidity)) {
+					$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is malformed: `%s`. For enhanced security, it is recommended to enable HSTS.', [$transportSecurityValidity])."\n";
+				} else {
+					$msg .= $this->l10n->t('- The `Strict-Transport-Security` HTTP header is not set (should be at least `%d` seconds). For enhanced security, it is recommended to enable HSTS.', [$minimumSeconds])."\n";
+				}
+
+				if (!empty($msg)) {
+					return SetupResult::warning(
+						$this->l10n->t('Some headers are not set correctly on your instance')."\n".$msg,
+						$this->urlGenerator->linkToDocs('admin-security'),
+						$msgParameters,
+					);
+				}
+				// Skip the other requests if one works
+				$works = true;
+				break;
+			}
+			// If 'works' is null then we could not connect to the server
+			if ($works === null) {
+				return SetupResult::info(
+					$this->l10n->t('Could not check that your web server serves security headers correctly. Please check manually.'),
+					$this->urlGenerator->linkToDocs('admin-security'),
+				);
+			}
+			// Otherwise if we fail we can abort here
+			if ($works === false) {
+				return SetupResult::warning(
+					$this->l10n->t("Could not check that your web server serves security headers correctly, unable to query `%s`", [$url]),
+					$this->urlGenerator->linkToDocs('admin-security'),
+				);
+			}
+		}
+		return SetupResult::success(
+			$this->l10n->t('Your server is correctly configured to send security headers.')
+		);
+	}
+}
diff --git a/apps/settings/src/admin.js b/apps/settings/src/admin.js
index 09034495529..8b5ae1080e3 100644
--- a/apps/settings/src/admin.js
+++ b/apps/settings/src/admin.js
@@ -103,9 +103,8 @@ window.addEventListener('DOMContentLoaded', () => {
 		$.when(
 			OC.SetupChecks.checkWebDAV(),
 			OC.SetupChecks.checkSetup(),
-			OC.SetupChecks.checkGeneric(),
-		).then((check1, check2, check3) => {
-			const messages = [].concat(check1, check2, check3)
+		).then((check1, check2) => {
+			const messages = [].concat(check1, check2)
 			const $el = $('#postsetupchecks')
 			$('#security-warning-state-loading').addClass('hidden')
 
diff --git a/apps/settings/tests/SetupChecks/OcxProvicersTest.php b/apps/settings/tests/SetupChecks/OcxProvicersTest.php
index f0f504af027..2cc6ac6de07 100644
--- a/apps/settings/tests/SetupChecks/OcxProvicersTest.php
+++ b/apps/settings/tests/SetupChecks/OcxProvicersTest.php
@@ -62,7 +62,7 @@ class OcxProvicersTest extends TestCase {
 		$this->logger = $this->createMock(LoggerInterface::class);
 
 		$this->setupcheck = $this->getMockBuilder(OcxProviders::class)
-			->onlyMethods(['runHEAD'])
+			->onlyMethods(['runRequest'])
 			->setConstructorArgs([
 				$this->l10n,
 				$this->config,
@@ -79,7 +79,7 @@ class OcxProvicersTest extends TestCase {
 
 		$this->setupcheck
 			->expects($this->exactly(2))
-			->method('runHEAD')
+			->method('runRequest')
 			->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([$response]));
 
 		$result = $this->setupcheck->run();
@@ -94,7 +94,7 @@ class OcxProvicersTest extends TestCase {
 
 		$this->setupcheck
 			->expects($this->exactly(2))
-			->method('runHEAD')
+			->method('runRequest')
 			->willReturnOnConsecutiveCalls($this->generate([$response1, $response1, $response1]), $this->generate([$response2])); // only one response out of two
 
 		$result = $this->setupcheck->run();
@@ -107,7 +107,7 @@ class OcxProvicersTest extends TestCase {
 
 		$this->setupcheck
 			->expects($this->exactly(2))
-			->method('runHEAD')
+			->method('runRequest')
 			->willReturnOnConsecutiveCalls($this->generate([]), $this->generate([])); // No responses
 
 		$result = $this->setupcheck->run();
@@ -121,7 +121,7 @@ class OcxProvicersTest extends TestCase {
 
 		$this->setupcheck
 			->expects($this->exactly(2))
-			->method('runHEAD')
+			->method('runRequest')
 			->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([])); // only one response out of two
 
 		$result = $this->setupcheck->run();
@@ -135,7 +135,7 @@ class OcxProvicersTest extends TestCase {
 
 		$this->setupcheck
 			->expects($this->exactly(2))
-			->method('runHEAD')
+			->method('runRequest')
 			->willReturnOnConsecutiveCalls($this->generate([$response]), $this->generate([$response])); // only one response out of two
 
 		$result = $this->setupcheck->run();
@@ -151,7 +151,7 @@ class OcxProvicersTest extends TestCase {
 
 		$this->setupcheck
 			->expects($this->exactly(2))
-			->method('runHEAD')
+			->method('runRequest')
 			->willReturnOnConsecutiveCalls($this->generate([$response1]), $this->generate([$response2]));
 
 		$result = $this->setupcheck->run();
diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
new file mode 100644
index 00000000000..fb8eb757460
--- /dev/null
+++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
@@ -0,0 +1,224 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2024 Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @author Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Settings\Tests;
+
+use OCA\Settings\SetupChecks\SecurityHeaders;
+use OCP\Http\Client\IClientService;
+use OCP\Http\Client\IResponse;
+use OCP\IConfig;
+use OCP\IL10N;
+use OCP\IURLGenerator;
+use OCP\SetupCheck\SetupResult;
+use PHPUnit\Framework\MockObject\MockObject;
+use Psr\Log\LoggerInterface;
+use Test\TestCase;
+
+class SecurityHeadersTest extends TestCase {
+	private IL10N|MockObject $l10n;
+	private IConfig|MockObject $config;
+	private IURLGenerator|MockObject $urlGenerator;
+	private IClientService|MockObject $clientService;
+	private LoggerInterface|MockObject $logger;
+	private SecurityHeaders|MockObject $setupcheck;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		/** @var IL10N|MockObject */
+		$this->l10n = $this->getMockBuilder(IL10N::class)
+			->disableOriginalConstructor()->getMock();
+		$this->l10n->expects($this->any())
+			->method('t')
+			->willReturnCallback(function ($message, array $replace) {
+				return vsprintf($message, $replace);
+			});
+
+		$this->config = $this->createMock(IConfig::class);
+		$this->urlGenerator = $this->createMock(IURLGenerator::class);
+		$this->clientService = $this->createMock(IClientService::class);
+		$this->logger = $this->createMock(LoggerInterface::class);
+
+		$this->setupcheck = $this->getMockBuilder(SecurityHeaders::class)
+			->onlyMethods(['runRequest'])
+			->setConstructorArgs([
+				$this->l10n,
+				$this->config,
+				$this->urlGenerator,
+				$this->clientService,
+				$this->logger,
+			])
+			->getMock();
+	}
+
+	public function testInvalidStatusCode(): void {
+		$this->setupResponse(500, []);
+
+		$result = $this->setupcheck->run();
+		$this->assertMatchesRegularExpression('/^Could not check that your web server serves security headers correctly/', $result->getDescription());
+		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
+	}
+
+	public function testAllHeadersMissing(): void {
+		$this->setupResponse(200, []);
+
+		$result = $this->setupcheck->run();
+		$this->assertMatchesRegularExpression('/^Some headers are not set correctly on your instance/', $result->getDescription());
+		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
+	}
+
+	public function testSomeHeadersMissing(): void {
+		$this->setupResponse(
+			200,
+			[
+				'X-Robots-Tag' => 'noindex, nofollow',
+				'X-Frame-Options' => 'SAMEORIGIN',
+				'Strict-Transport-Security' => 'max-age=15768000;preload',
+				'X-Permitted-Cross-Domain-Policies' => 'none',
+				'Referrer-Policy' => 'no-referrer',
+			]
+		);
+
+		$result = $this->setupcheck->run();
+		$this->assertEquals(
+			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
+			$result->getDescription()
+		);
+		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
+	}
+
+	public function dataSuccess(): array {
+		return [
+			// description => modifiedHeaders
+			'basic' => [[]],
+			'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']],
+			'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']],
+			'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
+			'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']],
+			'referrer-strict-origin' => [['Referrer-Policy' => 'strict-origin']],
+			'referrer-strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
+			'referrer-same-origin' => [['Referrer-Policy' => 'same-origin']],
+			'hsts-minimum' => [['Strict-Transport-Security' => 'max-age=15552000']],
+			'hsts-include-subdomains' => [['Strict-Transport-Security' => 'max-age=99999999; includeSubDomains']],
+			'hsts-include-subdomains-preload' => [['Strict-Transport-Security' => 'max-age=99999999; preload; includeSubDomains']],
+		];
+	}
+
+	/**
+	 * @dataProvider dataSuccess
+	 */
+	public function testSuccess($headers): void {
+		$headers = array_merge(
+			[
+				'X-XSS-Protection' => '1; mode=block',
+				'X-Content-Type-Options' => 'nosniff',
+				'X-Robots-Tag' => 'noindex, nofollow',
+				'X-Frame-Options' => 'SAMEORIGIN',
+				'Strict-Transport-Security' => 'max-age=15768000',
+				'X-Permitted-Cross-Domain-Policies' => 'none',
+				'Referrer-Policy' => 'no-referrer',
+			],
+			$headers
+		);
+		$this->setupResponse(
+			200,
+			$headers
+		);
+
+		$result = $this->setupcheck->run();
+		$this->assertEquals(
+			'Your server is correctly configured to send security headers.',
+			$result->getDescription()
+		);
+		$this->assertEquals(SetupResult::SUCCESS, $result->getSeverity());
+	}
+
+	public function dataFailure(): array {
+		return [
+			// description => modifiedHeaders
+			'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
+			'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
+			'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
+			'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
+			'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
+			'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
+			'hsts-missing' => [['Strict-Transport-Security' => ''], "- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.\n"],
+			'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to use a long HSTS policy.\n"],
+			'hsts-malformed' => [['Strict-Transport-Security' => 'iAmABogusHeader342'], "- The `Strict-Transport-Security` HTTP header is malformed: `iAmABogusHeader342`. For enhanced security, it is recommended to enable HSTS.\n"],
+		];
+	}
+
+	/**
+	 * @dataProvider dataFailure
+	 */
+	public function testFailure(array $headers, string $msg): void {
+		$headers = array_merge(
+			[
+				'X-XSS-Protection' => '1; mode=block',
+				'X-Content-Type-Options' => 'nosniff',
+				'X-Robots-Tag' => 'noindex, nofollow',
+				'X-Frame-Options' => 'SAMEORIGIN',
+				'Strict-Transport-Security' => 'max-age=15768000',
+				'X-Permitted-Cross-Domain-Policies' => 'none',
+				'Referrer-Policy' => 'no-referrer',
+			],
+			$headers
+		);
+		$this->setupResponse(
+			200,
+			$headers
+		);
+
+		$result = $this->setupcheck->run();
+		$this->assertEquals(
+			'Some headers are not set correctly on your instance'."\n$msg",
+			$result->getDescription()
+		);
+		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
+	}
+
+	protected function setupResponse(int $statuscode, array $headers): void {
+		$response = $this->createMock(IResponse::class);
+		$response->expects($this->atLeastOnce())->method('getStatusCode')->willReturn($statuscode);
+		$response->expects($this->any())->method('getHeader')
+			->willReturnCallback(
+				fn (string $header): string => $headers[$header] ?? ''
+			);
+
+		$this->setupcheck
+			->expects($this->atLeastOnce())
+			->method('runRequest')
+			->willReturnOnConsecutiveCalls($this->generate([$response]));
+	}
+
+	/**
+	 * Helper function creates a nicer interface for mocking Generator behavior
+	 */
+	protected function generate(array $yield_values) {
+		return $this->returnCallback(function () use ($yield_values) {
+			yield from $yield_values;
+		});
+	}
+}