From eec8d776b758edf58fb04d3d3993a227b15f22d1 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Mon, 15 Jun 2015 10:39:25 +0200
Subject: Align recommended settings

This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well.

Fixes https://github.com/owncloud/core/issues/16673
---
 core/js/setupchecks.js | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'core/js/setupchecks.js')

diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 5d9f1863ef7..02d7ef94b7e 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -154,20 +154,21 @@
 					if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
 						var firstComma = transportSecurityValidity.indexOf(";");
 						if(firstComma !== -1) {
-							transportSecurityValidity = transportSecurityValidity.substring(0, firstComma);
+							transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
 						} else {
 							transportSecurityValidity = transportSecurityValidity.substring(8);
 						}
 					}
 
-					if(isNaN(transportSecurityValidity) || transportSecurityValidity <= 2678399) {
+					var minimumSeconds = 15768000;
+					if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
 						messages.push(
-							t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "2,678,400" seconds. This is a potential security risk and we recommend adjusting this setting.')
+							t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'})
 						);
 					}
 				} else {
 					messages.push(
-						t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead.')
+						t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'})
 					);
 				}
 			} else {
-- 
cgit v1.2.3