diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-06-15 10:39:25 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-06-15 10:39:25 +0200 |
| commit | eec8d776b758edf58fb04d3d3993a227b15f22d1 (patch) | |
| tree | 9af154873115cc94aa9009aeb2d8ce6882e443ca /core/js/setupchecks.js | |
| parent | 2806c9476c1d3daff5c97772cba1a43df4df7936 (diff) | |
| download | nextcloud-server-eec8d776b758edf58fb04d3d3993a227b15f22d1.tar.gz nextcloud-server-eec8d776b758edf58fb04d3d3993a227b15f22d1.zip | |
Align recommended settings
This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well.
Fixes https://github.com/owncloud/core/issues/16673
Diffstat (limited to 'core/js/setupchecks.js')
| -rw-r--r-- | core/js/setupchecks.js | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 5d9f1863ef7..02d7ef94b7e 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -154,20 +154,21 @@ if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) { var firstComma = transportSecurityValidity.indexOf(";"); if(firstComma !== -1) { - transportSecurityValidity = transportSecurityValidity.substring(0, firstComma); + transportSecurityValidity = transportSecurityValidity.substring(8, firstComma); } else { transportSecurityValidity = transportSecurityValidity.substring(8); } } - if(isNaN(transportSecurityValidity) || transportSecurityValidity <= 2678399) { + var minimumSeconds = 15768000; + if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) { messages.push( - t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.') + t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'}) ); } } else { messages.push( - t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.') + t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'}) ); } } else { |