6 files changed, 80 insertions, 20 deletions

diff --git a/apps/settings/tests/SetupChecks/DataDirectoryProtectedTest.php b/apps/settings/tests/SetupChecks/DataDirectoryProtectedTest.php
index a48c6296aff..c20c78c6e16 100644
--- a/apps/settings/tests/SetupChecks/DataDirectoryProtectedTest.php
+++ b/apps/settings/tests/SetupChecks/DataDirectoryProtectedTest.php
@@ -54,9 +54,7 @@ class DataDirectoryProtectedTest extends TestCase {
 			->getMock();
 	}
 
-	/**
-	 * @dataProvider dataTestStatusCode
-	 */
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataTestStatusCode')]
 	public function testStatusCode(array $status, string $expected, bool $hasBody): void {
 		$responses = array_map(function ($state) use ($hasBody) {
 			$response = $this->createMock(IResponse::class);
diff --git a/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php
index b57eb852d80..9b4878b45cc 100644
--- a/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php
+++ b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php
@@ -43,9 +43,7 @@ class ForwardedForHeadersTest extends TestCase {
 		);
 	}
 
-	/**
-	 * @dataProvider dataForwardedForHeadersWorking
-	 */
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataForwardedForHeadersWorking')]
 	public function testForwardedForHeadersWorking(array $trustedProxies, string $remoteAddrNotForwarded, string $remoteAddr, string $result): void {
 		$this->config->expects($this->once())
 			->method('getSystemValue')
diff --git a/apps/settings/tests/SetupChecks/LoggingLevelTest.php b/apps/settings/tests/SetupChecks/LoggingLevelTest.php
index 9d588a4e486..67224e11e3a 100644
--- a/apps/settings/tests/SetupChecks/LoggingLevelTest.php
+++ b/apps/settings/tests/SetupChecks/LoggingLevelTest.php
@@ -59,7 +59,7 @@ class LoggingLevelTest extends TestCase {
 		];
 	}
 
-	/** @dataProvider dataRun */
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataRun')]
 	public function testRun(string|int $value, string $expected): void {
 		$this->urlGenerator->method('linkToDocs')->willReturn('admin-logging');
 
diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
index e7d87775485..1f75907d427 100644
--- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
+++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php
@@ -84,7 +84,7 @@ class SecurityHeadersTest extends TestCase {
 
 		$result = $this->setupcheck->run();
 		$this->assertEquals(
-			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
+			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",
 			$result->getDescription()
 		);
 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
@@ -94,7 +94,6 @@ class SecurityHeadersTest extends TestCase {
 		return [
 			// description => modifiedHeaders
 			'basic' => [[]],
-			'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']],
 			'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']],
 			'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],
 			'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']],
@@ -107,13 +106,10 @@ class SecurityHeadersTest extends TestCase {
 		];
 	}
 
-	/**
-	 * @dataProvider dataSuccess
-	 */
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataSuccess')]
 	public function testSuccess(array $headers): void {
 		$headers = array_merge(
 			[
-				'X-XSS-Protection' => '1; mode=block',
 				'X-Content-Type-Options' => 'nosniff',
 				'X-Robots-Tag' => 'noindex, nofollow',
 				'X-Frame-Options' => 'SAMEORIGIN',
@@ -140,8 +136,6 @@ class SecurityHeadersTest extends TestCase {
 		return [
 			// description => modifiedHeaders
 			'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
-			'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
-			'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],
 			'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
 			'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
 			'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],
@@ -151,13 +145,10 @@ class SecurityHeadersTest extends TestCase {
 		];
 	}
 
-	/**
-	 * @dataProvider dataFailure
-	 */
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataFailure')]
 	public function testFailure(array $headers, string $msg): void {
 		$headers = array_merge(
 			[
-				'X-XSS-Protection' => '1; mode=block',
 				'X-Content-Type-Options' => 'nosniff',
 				'X-Robots-Tag' => 'noindex, nofollow',
 				'X-Frame-Options' => 'SAMEORIGIN',
diff --git a/apps/settings/tests/SetupChecks/TaskProcessingPickupSpeedTest.php b/apps/settings/tests/SetupChecks/TaskProcessingPickupSpeedTest.php
new file mode 100644
index 00000000000..6375d9f6e7f
--- /dev/null
+++ b/apps/settings/tests/SetupChecks/TaskProcessingPickupSpeedTest.php
@@ -0,0 +1,73 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\Settings\Tests;
+
+use OCA\Settings\SetupChecks\TaskProcessingPickupSpeed;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\IL10N;
+use OCP\SetupCheck\SetupResult;
+use OCP\TaskProcessing\IManager;
+use OCP\TaskProcessing\Task;
+use Test\TestCase;
+
+class TaskProcessingPickupSpeedTest extends TestCase {
+	private IL10N $l10n;
+	private ITimeFactory $timeFactory;
+	private IManager $taskProcessingManager;
+
+	private TaskProcessingPickupSpeed $check;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->l10n = $this->getMockBuilder(IL10N::class)->getMock();
+		$this->timeFactory = $this->getMockBuilder(ITimeFactory::class)->getMock();
+		$this->taskProcessingManager = $this->getMockBuilder(IManager::class)->getMock();
+
+		$this->check = new TaskProcessingPickupSpeed(
+			$this->l10n,
+			$this->taskProcessingManager,
+			$this->timeFactory,
+		);
+	}
+
+	public function testPass(): void {
+		$tasks = [];
+		for ($i = 0; $i < 100; $i++) {
+			$task = new Task('test', ['test' => 'test'], 'settings', 'user' . $i);
+			$task->setStartedAt(0);
+			if ($i < 15) {
+				$task->setScheduledAt(60 * 5); // 15% get 5mins
+			} else {
+				$task->setScheduledAt(60); // the rest gets 1min
+			}
+			$tasks[] = $task;
+		}
+		$this->taskProcessingManager->method('getTasks')->willReturn($tasks);
+
+		$this->assertEquals(SetupResult::SUCCESS, $this->check->run()->getSeverity());
+	}
+
+	public function testFail(): void {
+		$tasks = [];
+		for ($i = 0; $i < 100; $i++) {
+			$task = new Task('test', ['test' => 'test'], 'settings', 'user' . $i);
+			$task->setStartedAt(0);
+			if ($i < 30) {
+				$task->setScheduledAt(60 * 5); // 30% get 5mins
+			} else {
+				$task->setScheduledAt(60); // the rest gets 1min
+			}
+			$tasks[] = $task;
+		}
+		$this->taskProcessingManager->method('getTasks')->willReturn($tasks);
+
+		$this->assertEquals(SetupResult::WARNING, $this->check->run()->getSeverity());
+	}
+}
diff --git a/apps/settings/tests/SetupChecks/WellKnownUrlsTest.php b/apps/settings/tests/SetupChecks/WellKnownUrlsTest.php
index 14473a540ba..d55835d66fc 100644
--- a/apps/settings/tests/SetupChecks/WellKnownUrlsTest.php
+++ b/apps/settings/tests/SetupChecks/WellKnownUrlsTest.php
@@ -96,8 +96,8 @@ class WellKnownUrlsTest extends TestCase {
 
 	/**
 	 * Test responses
-	 * @dataProvider dataTestResponses
 	 */
+	#[\PHPUnit\Framework\Attributes\DataProvider('dataTestResponses')]
 	public function testResponses($responses, string $expectedSeverity): void {
 		$this->config
 			->expects($this->once())