1 files changed, 95 insertions, 1 deletions

diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 00e73162c55..d5bd1c465b2 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -70,7 +70,101 @@
 				url: OC.generateUrl('settings/ajax/checksetup')
 			}).then(afterCall, afterCall);
 			return deferred.promise();
+		},
+
+		/**
+		 * Runs generic checks on the server side, the difference to dedicated
+		 * methods is that we use the same XHR object for all checks to save
+		 * requests.
+		 *
+		 * @return $.Deferred object resolved with an array of error messages
+		 */
+		checkGeneric: function() {
+			var self = this;
+			var deferred = $.Deferred();
+			var afterCall = function(data, statusText, xhr) {
+				var messages = [];
+				messages = messages.concat(self._checkSecurityHeaders(xhr));
+				messages = messages.concat(self._checkSSL(xhr));
+				deferred.resolve(messages);
+			};
+
+			$.ajax({
+				type: 'GET',
+				url: OC.generateUrl('heartbeat')
+			}).then(afterCall, afterCall);
+
+			return deferred.promise();
+		},
+
+		/**
+		 * Runs check for some generic security headers on the server side
+		 *
+		 * @param {Object} xhr
+		 * @return {Array} Array with error messages
+		 */
+		_checkSecurityHeaders: function(xhr) {
+			var messages = [];
+
+			if (xhr.status === 200) {
+				var securityHeaders = {
+					'X-XSS-Protection': '1; mode=block',
+					'X-Content-Type-Options': 'nosniff',
+					'X-Robots-Tag': 'none',
+					'X-Frame-Options': 'SAMEORIGIN'
+				};
+
+				for (var header in securityHeaders) {
+					if(xhr.getResponseHeader(header) !== securityHeaders[header]) {
+						messages.push(
+							t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]})
+						);
+					}
+				}
+			} else {
+				messages.push(t('core', 'Error occurred while checking server setup'));
+			}
+
+			return messages;
+		},
+
+		/**
+		 * Runs check for some SSL configuration issues on the server side
+		 *
+		 * @param {Object} xhr
+		 * @return {Array} Array with error messages
+		 */
+		_checkSSL: function(xhr) {
+			var messages = [];
+
+			if (xhr.status === 200) {
+				if(OC.getProtocol() === 'https') {
+					// Extract the value of 'Strict-Transport-Security'
+					var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
+					if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
+						var firstComma = transportSecurityValidity.indexOf(";");
+						if(firstComma !== -1) {
+							transportSecurityValidity = transportSecurityValidity.substring(0, firstComma);
+						} else {
+							transportSecurityValidity = transportSecurityValidity.substring(8);
+						}
+					}
+
+					if(isNaN(transportSecurityValidity) || transportSecurityValidity <= 2678399) {
+						messages.push(
+							t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.')
+						);
+					}
+				} else {
+					messages.push(
+						t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.')
+					);
+				}
+			} else {
+				messages.push(t('core', 'Error occurred while checking server setup'));
+			}
+
+			return messages;
 		}
 	};
 })();
-