summaryrefslogtreecommitdiffstats
path: root/core/js/setupchecks.js
diff options
context:
space:
mode:
Diffstat (limited to 'core/js/setupchecks.js')
-rw-r--r--core/js/setupchecks.js4
1 files changed, 2 insertions, 2 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 73896f9fc91..b2d021c6265 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -628,13 +628,13 @@
if (xhr.status === 200) {
var securityHeaders = {
'X-Content-Type-Options': ['nosniff'],
- 'X-Robots-Tag': ['none'],
+ 'X-Robots-Tag': ['noindex, nofollow'],
'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
'X-Permitted-Cross-Domain-Policies': ['none'],
};
for (var header in securityHeaders) {
var option = securityHeaders[header][0];
- if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== option.toLowerCase()) {
+ if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).replace(/, /, ',').toLowerCase() !== option.replace(/, /, ',').toLowerCase()) {
var msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
if(xhr.getResponseHeader(header) && securityHeaders[header].length > 1 && xhr.getResponseHeader(header).toLowerCase() === securityHeaders[header][1].toLowerCase()) {
msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". Some features might not work correctly, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-15 16:12:01 +0000