Commit graph

69 commits

Author SHA1 Message Date
Morris Jobke
df6e9109c8
Merge pull request #11396 from nextcloud/wellknown-webfinger
adding .well-known/webfinger
2018-10-24 14:51:15 +02:00
Daniel Peukert
2da4f96bd6 Remove arrow function
Signed-off-by: Daniel Peukert <dan.peukert@gmail.com>
2018-10-17 18:10:37 +02:00
Daniel Peukert
b2dfcb5a18 Check if the X-XSS-Protection header contains the required fields
Signed-off-by: Daniel Peukert <dan.peukert@gmail.com>
2018-10-17 14:28:51 +02:00
Moritz Beck
b68661ed6e
Allow "same-origin" as "Referrer-Policy"
Fixes #11531

Although "same-origin" is more strict than e.g. strict-origin it showed up a warning in setupcheck
Based on https://scotthelme.co.uk/a-new-security-header-referrer-policy/

Signed-off-by: Moritz Beck <git@birkenstab.de>
2018-10-11 13:17:26 +02:00
Daniel Calviño Sánchez
d143b43a04 Make possible to set the expected status of the well known URL check
The check is based on the HTTP status returned by the URL, and different
URLs may return different status (for example, DAV returns 207, while
a service like WebFinger would return 200), so the expected status needs
to be set depending on the URL.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2018-10-10 13:48:56 +02:00
Timo Förster
006e150c87 Change check if secure randomness is possible.
Signed-off-by: Timo Förster <tfoerster@webfoersterei.de>
2018-08-24 23:12:02 +02:00
Michael Weimann
2bab916c53
Adds license to files. Updates the branch.
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
2018-08-20 20:46:23 +02:00
Michael Weimann
c164409ee7
Adds a memory limit warning for console commands if the limit is below the recommended value
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
2018-08-20 15:24:10 +02:00
Michael Weimann
c2fced4463
Adds a setup check for the memory limit
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
2018-08-20 15:24:10 +02:00
Michael Weimann
b2e60e365d
Adds a setup check for app directory permissions.
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
2018-08-09 19:47:55 +02:00
Cthulhux
f6f49c77f7
opcache module check
Improved the speed of isOpcacheProperlySetup() (instant return instead of continuing when we're already failed), added a check for the opcache extension itself. Potentially fixes #9410

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-07-11 16:08:40 +02:00
Roeland Jago Douma
6a0c54d5bf
Add warning to setup checks if the default mailer is still php
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-07-04 08:28:33 +02:00
Morris Jobke
9c4aecb539
Merge all setup checks into one controller
* renamed hasMissingIndexes to missingIndexes

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-06-13 15:25:08 +02:00
Morris Jobke
cd87a40eb3
Merge pull request #9836 from nextcloud/feature/noid/merge-tips-and-tricks-into-setup-checks
Merge tips & tricks section into setup checks
2018-06-13 13:18:40 +02:00
Morris Jobke
4a0b7aaf6c
Merge tips & tricks section into setup checks
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-06-13 12:05:38 +02:00
Morris Jobke
624d191ef6
Fix wrong hint about missing indexes
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-06-13 11:56:43 +02:00
Morris Jobke
393d9aae74
Add a hint that some indexes are not added yet
* gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual
* nicely integrated in the setup checks where this kind of hints belong to
* also adds an option to integrate this from an app based on events
* fix style of setting warnings

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-06-06 16:55:01 +02:00
Roeland Jago Douma
4b70c9f89d
Add referrer policy setup check
Fixes #9122

Based on https://www.w3.org/TR/referrer-policy/ and
https://scotthelme.co.uk/a-new-security-header-referrer-policy/

Setting a sane Referrer-Policy will tell the browser if/when to send
referrer headers when accessing a link from Nextcloud. When configured
properly this results in less tracking and less leaking of (possibly)
sensitive urls

* Fix tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-04 09:21:35 +02:00
Allan Nordhøy
13d8b7f190
Spelling: FreeType 2018-01-14 15:58:36 +01:00
Roeland Jago Douma
7618473a44 Add warning regarding freetype support
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-12-13 17:20:48 +01:00
Morris Jobke
ace96a406a
Show hint that PHP 5.6 will not be supported in Nextcloud 14 anymore
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-12-08 10:02:41 +01:00
Allan Nordhøy
55cad46a21
No "to equal to" "We" or "Our", properly
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-27 08:50:37 +01:00
Lukas Reschke
6d1d2dde0b
Merge pull request #4856 from coderkun/issue-3808-xframe-deny
Improve warning for X-Frame-Options header DENY (#3808)
2017-11-14 14:30:14 +01:00
Markus Staab
db34b59238 Prevent XSS in links which open a new browser window 2017-10-19 12:16:04 +02:00
rakekniven
f2d999aa70 Update setupchecks.js
Fixed typo and removed doclink symbol.
Reported at transifex

Update util.php

Another l10n improvement from transifex.

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-05-31 13:41:45 +02:00
Morris Jobke
1fedf450ac Update Opcache recommendation
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-05-21 18:21:28 -05:00
coderkun
b44c3dd198 Improve warning for X-Frame-Options header DENY (#3808)
Signed-off-by: Oliver Hanraths <olli@coderkun.de>
2017-05-14 13:16:36 +02:00
Joas Schilling
1c0bffe87f
Fix translations
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-18 16:40:53 -05:00
Ko-
786ee72146 Add warning on admin screen when set_time_limit is unavailable 2017-03-16 11:48:28 +01:00
Morris Jobke
cee8853658
Show info in admin settings about PHP opcache if disabled
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-22 23:45:48 -06:00
Morris Jobke
a2867c0664
Properly check the data dir
* fixes #1364

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2016-12-05 23:35:35 +01:00
Joas Schilling
0f06034239
Replace more vendor naming
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-11 08:54:21 +01:00
Arthur Schiwon
44f3fcc187
fix internal links in security & setup warnings, resolves #1048 2016-08-25 13:24:50 +02:00
Derek
b236100619 Alters 'No Internet Connection' error message. #181 2016-07-20 19:12:10 -05:00
Vincent Petry
97f1813695
Don't reload page in case of auth errors during setup checks
If an error occurs during setup checks, do not let the global ajax
error handler reload the page.
2016-06-23 11:54:49 +02:00
Vincent Petry
fb087a0261
Use temporary htaccesstest.txt for data dir security check 2016-06-07 18:36:13 +02:00
Morris Jobke
e03d289b70
Use 6 months as SSL STS header threshold
* this uses 6 months (6 * 30 * 24 * 60 * 60 = 15552000)
* old value was half a year (365 / 2 * 24 * 60 * 60 = 15768000)
* fixes #23957
2016-04-13 08:47:34 +02:00
Lukas Reschke
6ad957906e Consistently use rel=noreferrer
When linking to external entities we should consistently use rel=noreferrer
2016-03-20 15:27:20 +01:00
Lukas Reschke
2ca3c0d461 Adjust wording a bit
**Before:**
> Your PHP version (5.4.16) is no longer supported by PHP. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by PHP.

**After:**
> You are currently running PHP 5.4.0. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it.

Fixes https://github.com/owncloud/enterprise/issues/1170
2016-03-11 17:39:35 +01:00
Thomas Müller
8abdcb8085 Fix error ins source language strings
https://www.transifex.com/owncloud-org/owncloud/translate/#en_GB/core/50786279
https://www.transifex.com/owncloud-org/owncloud/translate/#en_GB/settings-1/50555028
2016-02-19 15:04:16 +01:00
Vincent Petry
b8b77709c0 Add handler for global ajax errors 2016-02-15 12:48:47 +01:00
Lukas Reschke
5ba6148bfe Add check for content
The response may be a redirect which is always followed by jQuery. Thus leading to false positives depending on the server configuration (e.g. when it issues a 302)

To prevent that there is also a check performed on the response content.
2016-02-04 16:13:27 +01:00
Vincent Chan
faf48e42b7 Move data protection check to javascript
fixes #20199
2016-02-01 18:57:58 +01:00
Thomas Müller
b1ee51f255 Merge pull request #21630 from owncloud/add-some-security-headers-as-hardening
Add X-Download-Options and X-Permitted-Cross-Domain-Policies
2016-01-13 10:33:58 +01:00
Thomas Müller
2493cfede9 Merge pull request #21640 from owncloud/add-config-to-disable-wellknown-check
Add config switch to disable the .well-known URL check
2016-01-12 14:46:09 +01:00
Lukas Reschke
4d0dcd3c53 Add X-Download-Options and X-Permitted-Cross-Domain-Policies
Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
2016-01-12 10:37:16 +01:00
Morris Jobke
8b6b042ffd Add config switch to disable the .well-known URL check 2016-01-12 09:53:23 +01:00
Morris Jobke
a6c7cdd75e Show the well-known URL check as info instead of error
* ref https://github.com/owncloud/core/pull/21562#issuecomment-170344549
2016-01-12 09:18:20 +01:00
Morris Jobke
0161928fc3 Add check for .well-known URL in the root of the webservers URL
* fixes #20012
2016-01-08 23:27:29 +01:00
Renaud Fortier
83899a5fa1 add _blank to href 2015-12-21 13:28:32 -05:00