summaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
authorLukas Reschke <lukas@owncloud.com>2015-06-15 10:39:25 +0200
committerLukas Reschke <lukas@owncloud.com>2015-06-15 10:39:25 +0200
commiteec8d776b758edf58fb04d3d3993a227b15f22d1 (patch)
tree9af154873115cc94aa9009aeb2d8ce6882e443ca /core
parent2806c9476c1d3daff5c97772cba1a43df4df7936 (diff)
downloadnextcloud-server-eec8d776b758edf58fb04d3d3993a227b15f22d1.tar.gz
nextcloud-server-eec8d776b758edf58fb04d3d3993a227b15f22d1.zip
Align recommended settings
This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well. Fixes https://github.com/owncloud/core/issues/16673
Diffstat (limited to 'core')
-rw-r--r--core/js/setupchecks.js9
-rw-r--r--core/js/tests/specs/setupchecksSpec.js40
2 files changed, 34 insertions, 15 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 5d9f1863ef7..02d7ef94b7e 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -154,20 +154,21 @@
if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
var firstComma = transportSecurityValidity.indexOf(";");
if(firstComma !== -1) {
- transportSecurityValidity = transportSecurityValidity.substring(0, firstComma);
+ transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
} else {
transportSecurityValidity = transportSecurityValidity.substring(8);
}
}
- if(isNaN(transportSecurityValidity) || transportSecurityValidity <= 2678399) {
+ var minimumSeconds = 15768000;
+ if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
messages.push(
- t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.')
+ t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'})
);
}
} else {
messages.push(
- t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.')
+ t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'})
);
}
} else {
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js
index 65de3d0321d..ec8a732b4a1 100644
--- a/core/js/tests/specs/setupchecksSpec.js
+++ b/core/js/tests/specs/setupchecksSpec.js
@@ -169,7 +169,7 @@ describe('OC.SetupChecks tests', function() {
200,
{
'Content-Type': 'application/json',
- 'Strict-Transport-Security': '2678400'
+ 'Strict-Transport-Security': 'max-age=15768000'
}
);
@@ -188,7 +188,7 @@ describe('OC.SetupChecks tests', function() {
{
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
- 'Strict-Transport-Security': '2678400'
+ 'Strict-Transport-Security': 'max-age=15768000;preload'
}
);
@@ -209,7 +209,7 @@ describe('OC.SetupChecks tests', function() {
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
- 'Strict-Transport-Security': '2678400'
+ 'Strict-Transport-Security': 'max-age=15768000'
}
);
@@ -234,7 +234,7 @@ describe('OC.SetupChecks tests', function() {
);
async.done(function( data, s, x ){
- expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.']);
+ expect(data).toEqual(['You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="#admin-tips">security tips</a>.']);
done();
});
});
@@ -269,7 +269,7 @@ describe('OC.SetupChecks tests', function() {
);
async.done(function( data, s, x ){
- expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']);
+ expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips">security tips</a>.']);
done();
});
});
@@ -280,7 +280,7 @@ describe('OC.SetupChecks tests', function() {
suite.server.requests[0].respond(200,
{
- 'Strict-Transport-Security': '2678399',
+ 'Strict-Transport-Security': 'max-age=15767999',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
@@ -289,7 +289,7 @@ describe('OC.SetupChecks tests', function() {
);
async.done(function( data, s, x ){
- expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']);
+ expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips">security tips</a>.']);
done();
});
});
@@ -309,7 +309,7 @@ describe('OC.SetupChecks tests', function() {
);
async.done(function( data, s, x ){
- expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.']);
+ expect(data).toEqual(['The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips">security tips</a>.']);
done();
});
});
@@ -319,7 +319,7 @@ describe('OC.SetupChecks tests', function() {
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
- 'Strict-Transport-Security': '2678400',
+ 'Strict-Transport-Security': 'max-age=15768000',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
@@ -337,7 +337,7 @@ describe('OC.SetupChecks tests', function() {
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
- 'Strict-Transport-Security': '12678400',
+ 'Strict-Transport-Security': 'max-age=99999999',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
@@ -355,7 +355,25 @@ describe('OC.SetupChecks tests', function() {
var async = OC.SetupChecks.checkGeneric();
suite.server.requests[0].respond(200, {
- 'Strict-Transport-Security': '12678400; includeSubDomains',
+ 'Strict-Transport-Security': 'max-age=99999999; includeSubDomains',
+ 'X-XSS-Protection': '1; mode=block',
+ 'X-Content-Type-Options': 'nosniff',
+ 'X-Robots-Tag': 'none',
+ 'X-Frame-Options': 'SAMEORIGIN'
+ });
+
+ async.done(function( data, s, x ){
+ expect(data).toEqual([]);
+ done();
+ });
+ });
+
+ it('should return no SSL warning if SSL used with to more than the minimum Strict-Transport-Security-Header and includeSubDomains and preload parameter', function(done) {
+ protocolStub.returns('https');
+ var async = OC.SetupChecks.checkGeneric();
+
+ suite.server.requests[0].respond(200, {
+ 'Strict-Transport-Security': 'max-age=99999999; preload; includeSubDomains',
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',