nextcloud/core/js/setupchecks.js

/*
 * Copyright (c) 2014
 *
 * This file is licensed under the Affero General Public License version 3
 * or later.
 *
 * See the COPYING-README file.
 *
 */

(function() {
	OC.SetupChecks = {

		/* Message types */
		MESSAGE_TYPE_INFO:0,
		MESSAGE_TYPE_WARNING:1,
		MESSAGE_TYPE_ERROR:2,

		/**
		 * Check whether the WebDAV connection works.
		 *
		 * @return $.Deferred object resolved with an array of error messages
		 */
		checkWebDAV: function() {
			var deferred = $.Deferred();
			var afterCall = function(xhr) {
				var messages = [];
				if (xhr.status !== 207 && xhr.status !== 401) {
					messages.push({
						msg: t('core', 'Your web server is not yet set up properly to allow file synchronization because the WebDAV interface seems to be broken.'),
						type: OC.SetupChecks.MESSAGE_TYPE_ERROR
					});
				}
				deferred.resolve(messages);
			};

			$.ajax({
				type: 'PROPFIND',
				url: OC.linkToRemoteBase('webdav'),
				data: '<?xml version="1.0"?>' +
						'<d:propfind xmlns:d="DAV:">' +
						'<d:prop><d:resourcetype/></d:prop>' +
						'</d:propfind>',
				complete: afterCall
			});
			return deferred.promise();
		},

		/**
		 * Runs setup checks on the server side
		 *
		 * @return $.Deferred object resolved with an array of error messages
		 */
		checkSetup: function() {
			var deferred = $.Deferred();
			var afterCall = function(data, statusText, xhr) {
				var messages = [];
				if (xhr.status === 200 && data) {
					if (!data.serverHasInternetConnection) {
						messages.push({
							msg: t('core', 'This server has no working Internet connection. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. We suggest to enable Internet connection for this server if you want to have all features.'),
							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
						});
					}
					if(!data.dataDirectoryProtected) {
						messages.push({
							msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),
							type: OC.SetupChecks.MESSAGE_TYPE_ERROR
						});
					}
					if(!data.isMemcacheConfigured) {
						messages.push({
							msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}),
							type: OC.SetupChecks.MESSAGE_TYPE_INFO
						});
					}
					if(!data.isUrandomAvailable) {
						messages.push({
							msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.securityDocs}),
							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
						});
					}
					if(data.isUsedTlsLibOutdated) {
						messages.push({
							msg: data.isUsedTlsLibOutdated,
							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
						});
					}
					if(data.phpSupported && data.phpSupported.eol) {
						messages.push({
							msg: t('core', 'Your PHP version ({version}) is no longer <a href="{phpLink}">supported by PHP</a>. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by PHP.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}),
							type: OC.SetupChecks.MESSAGE_TYPE_INFO
						});
					}
					if(!data.forwardedForHeadersWorking) {
						messages.push({
							msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing ownCloud from a trusted proxy. If you are not accessing ownCloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to ownCloud. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}),
							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
						});
					}
				} else {
					messages.push({
						msg: t('core', 'Error occurred while checking server setup'),
						type: OC.SetupChecks.MESSAGE_TYPE_ERROR
					});
				}
				deferred.resolve(messages);
			};

			$.ajax({
				type: 'GET',
				url: OC.generateUrl('settings/ajax/checksetup')
			}).then(afterCall, afterCall);
			return deferred.promise();
		},

		/**
		 * Runs generic checks on the server side, the difference to dedicated
		 * methods is that we use the same XHR object for all checks to save
		 * requests.
		 *
		 * @return $.Deferred object resolved with an array of error messages
		 */
		checkGeneric: function() {
			var self = this;
			var deferred = $.Deferred();
			var afterCall = function(data, statusText, xhr) {
				var messages = [];
				messages = messages.concat(self._checkSecurityHeaders(xhr));
				messages = messages.concat(self._checkSSL(xhr));
				deferred.resolve(messages);
			};

			$.ajax({
				type: 'GET',
				url: OC.generateUrl('heartbeat')
			}).then(afterCall, afterCall);

			return deferred.promise();
		},

		/**
		 * Runs check for some generic security headers on the server side
		 *
		 * @param {Object} xhr
		 * @return {Array} Array with error messages
		 */
		_checkSecurityHeaders: function(xhr) {
			var messages = [];

			if (xhr.status === 200) {
				var securityHeaders = {
					'X-XSS-Protection': '1; mode=block',
					'X-Content-Type-Options': 'nosniff',
					'X-Robots-Tag': 'none',
					'X-Frame-Options': 'SAMEORIGIN'
				};

				for (var header in securityHeaders) {
					if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
						messages.push({
							msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}),
							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
						});
					}
				}
			} else {
				messages.push({
					msg: t('core', 'Error occurred while checking server setup'),
					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
				});
			}

			return messages;
		},

		/**
		 * Runs check for some SSL configuration issues on the server side
		 *
		 * @param {Object} xhr
		 * @return {Array} Array with error messages
		 */
		_checkSSL: function(xhr) {
			var messages = [];

			if (xhr.status === 200) {
				if(OC.getProtocol() === 'https') {
					// Extract the value of 'Strict-Transport-Security'
					var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
					if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
						var firstComma = transportSecurityValidity.indexOf(";");
						if(firstComma !== -1) {
							transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
						} else {
							transportSecurityValidity = transportSecurityValidity.substring(8);
						}
					}

					var minimumSeconds = 15768000;
					if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
						messages.push({
							msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'}),
							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
						});
					}
				} else {
					messages.push({
						msg: t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'}),
						type: OC.SetupChecks.MESSAGE_TYPE_WARNING
					});
				}
			} else {
				messages.push({
					msg: t('core', 'Error occurred while checking server setup'),
					type: OC.SetupChecks.MESSAGE_TYPE_ERROR
				});
			}

			return messages;
		}
	};
})();
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server 2014-02-03 15:48:17 +04:00			`/*`
			`* Copyright (c) 2014`
			`*`
			`* This file is licensed under the Affero General Public License version 3`
			`* or later.`
			`*`
			`* See the COPYING-README file.`
			`*`
			`*/`

			`(function() {`
			`OC.SetupChecks = {`
Allow setupchecks to specify a warning level 2015-07-29 17:41:22 +03:00
			`/* Message types */`
			`MESSAGE_TYPE_INFO:0,`
			`MESSAGE_TYPE_WARNING:1,`
			`MESSAGE_TYPE_ERROR:2,`

Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server 2014-02-03 15:48:17 +04:00			`/**`
			`* Check whether the WebDAV connection works.`
			`*`
			`* @return $.Deferred object resolved with an array of error messages`
			`*/`
			`checkWebDAV: function() {`
			`var deferred = $.Deferred();`
			`var afterCall = function(xhr) {`
			`var messages = [];`
			`if (xhr.status !== 207 && xhr.status !== 401) {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'Your web server is not yet set up properly to allow file synchronization because the WebDAV interface seems to be broken.'),`
			`type: OC.SetupChecks.MESSAGE_TYPE_ERROR`
			`});`
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server 2014-02-03 15:48:17 +04:00			`}`
			`deferred.resolve(messages);`
			`};`

			`$.ajax({`
			`type: 'PROPFIND',`
			`url: OC.linkToRemoteBase('webdav'),`
			`data: '<?xml version="1.0"?>' +`
			`'<d:propfind xmlns:d="DAV:">' +`
			`'<d:prop><d:resourcetype/></d:prop>' +`
			`'</d:propfind>',`
			`complete: afterCall`
			`});`
			`return deferred.promise();`
			`},`

			`/**`
			`* Runs setup checks on the server side`
			`*`
			`* @return $.Deferred object resolved with an array of error messages`
			`*/`
			`checkSetup: function() {`
			`var deferred = $.Deferred();`
			`var afterCall = function(data, statusText, xhr) {`
			`var messages = [];`
			`if (xhr.status === 200 && data) {`
Check for working .htaccess via AJAX Fixes https://github.com/owncloud/core/issues/12650 2014-12-06 17:34:53 +03:00			`if (!data.serverHasInternetConnection) {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'This server has no working Internet connection. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. We suggest to enable Internet connection for this server if you want to have all features.'),`
			`type: OC.SetupChecks.MESSAGE_TYPE_WARNING`
			`});`
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server 2014-02-03 15:48:17 +04:00			`}`
Check for working .htaccess via AJAX Fixes https://github.com/owncloud/core/issues/12650 2014-12-06 17:34:53 +03:00			`if(!data.dataDirectoryProtected) {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),`
			`type: OC.SetupChecks.MESSAGE_TYPE_ERROR`
			`});`
Check for working .htaccess via AJAX Fixes https://github.com/owncloud/core/issues/12650 2014-12-06 17:34:53 +03:00			`}`
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956 2015-03-26 16:51:33 +03:00			`if(!data.isMemcacheConfigured) {`
Allow setupchecks to specify a warning level 2015-07-29 17:41:22 +03:00			`messages.push({`
			`msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}),`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`type: OC.SetupChecks.MESSAGE_TYPE_INFO`
Allow setupchecks to specify a warning level 2015-07-29 17:41:22 +03:00			`});`
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956 2015-03-26 16:51:33 +03:00			`}`
Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention. 2015-05-26 15:11:38 +03:00			`if(!data.isUrandomAvailable) {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.securityDocs}),`
			`type: OC.SetupChecks.MESSAGE_TYPE_WARNING`
			`});`
Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention. 2015-05-26 15:11:38 +03:00			`}`
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901 2015-07-27 17:29:05 +03:00			`if(data.isUsedTlsLibOutdated) {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: data.isUsedTlsLibOutdated,`
			`type: OC.SetupChecks.MESSAGE_TYPE_WARNING`
			`});`
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901 2015-07-27 17:29:05 +03:00			`}`
Display warning in security & setup warnings if php version is EOL 2015-07-28 11:06:26 +03:00			`if(data.phpSupported && data.phpSupported.eol) {`
Move remaining setupchecks to new fomat 2015-08-18 15:42:57 +03:00			`messages.push({`
			`msg: t('core', 'Your PHP version ({version}) is no longer <a href="{phpLink}">supported by PHP</a>. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by PHP.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}),`
			`type: OC.SetupChecks.MESSAGE_TYPE_INFO`
			`});`
Display warning in security & setup warnings if php version is EOL 2015-07-28 11:06:26 +03:00			`}`
Add setup check for reverse proxy header configuration 2015-07-25 21:18:32 +03:00			`if(!data.forwardedForHeadersWorking) {`
Move remaining setupchecks to new fomat 2015-08-18 15:42:57 +03:00			`messages.push({`
			`msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing ownCloud from a trusted proxy. If you are not accessing ownCloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to ownCloud. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}),`
			`type: OC.SetupChecks.MESSAGE_TYPE_WARNING`
			`});`
Add setup check for reverse proxy header configuration 2015-07-25 21:18:32 +03:00			`}`
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server 2014-02-03 15:48:17 +04:00			`} else {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'Error occurred while checking server setup'),`
			`type: OC.SetupChecks.MESSAGE_TYPE_ERROR`
			`});`
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server 2014-02-03 15:48:17 +04:00			`}`
			`deferred.resolve(messages);`
			`};`

			`$.ajax({`
			`type: 'GET',`
			`url: OC.generateUrl('settings/ajax/checksetup')`
			`}).then(afterCall, afterCall);`
			`return deferred.promise();`
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS. 2015-01-19 13:56:04 +03:00			`},`

			`/**`
			`* Runs generic checks on the server side, the difference to dedicated`
			`* methods is that we use the same XHR object for all checks to save`
			`* requests.`
			`*`
			`* @return $.Deferred object resolved with an array of error messages`
			`*/`
			`checkGeneric: function() {`
			`var self = this;`
			`var deferred = $.Deferred();`
			`var afterCall = function(data, statusText, xhr) {`
			`var messages = [];`
			`messages = messages.concat(self._checkSecurityHeaders(xhr));`
			`messages = messages.concat(self._checkSSL(xhr));`
			`deferred.resolve(messages);`
			`};`

			`$.ajax({`
			`type: 'GET',`
			`url: OC.generateUrl('heartbeat')`
			`}).then(afterCall, afterCall);`

			`return deferred.promise();`
			`},`

			`/**`
			`* Runs check for some generic security headers on the server side`
			`*`
			`* @param {Object} xhr`
			`* @return {Array} Array with error messages`
			`*/`
			`_checkSecurityHeaders: function(xhr) {`
			`var messages = [];`

			`if (xhr.status === 200) {`
			`var securityHeaders = {`
			`'X-XSS-Protection': '1; mode=block',`
			`'X-Content-Type-Options': 'nosniff',`
			`'X-Robots-Tag': 'none',`
			`'X-Frame-Options': 'SAMEORIGIN'`
			`};`

			`for (var header in securityHeaders) {`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`if(!xhr.getResponseHeader(header) \|\| xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}),`
			`type: OC.SetupChecks.MESSAGE_TYPE_WARNING`
			`});`
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS. 2015-01-19 13:56:04 +03:00			`}`
			`}`
			`} else {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'Error occurred while checking server setup'),`
			`type: OC.SetupChecks.MESSAGE_TYPE_ERROR`
			`});`
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS. 2015-01-19 13:56:04 +03:00			`}`

			`return messages;`
			`},`

			`/**`
			`* Runs check for some SSL configuration issues on the server side`
			`*`
			`* @param {Object} xhr`
			`* @return {Array} Array with error messages`
			`*/`
			`_checkSSL: function(xhr) {`
			`var messages = [];`

			`if (xhr.status === 200) {`
			`if(OC.getProtocol() === 'https') {`
			`// Extract the value of 'Strict-Transport-Security'`
			`var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');`
			`if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {`
			`var firstComma = transportSecurityValidity.indexOf(";");`
			`if(firstComma !== -1) {`
Align recommended settings This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well. Fixes https://github.com/owncloud/core/issues/16673 2015-06-15 11:39:25 +03:00			`transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);`
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS. 2015-01-19 13:56:04 +03:00			`} else {`
			`transportSecurityValidity = transportSecurityValidity.substring(8);`
			`}`
			`}`

Align recommended settings This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well. Fixes https://github.com/owncloud/core/issues/16673 2015-06-15 11:39:25 +03:00			`var minimumSeconds = 15768000;`
			`if(isNaN(transportSecurityValidity) \|\| transportSecurityValidity <= (minimumSeconds - 1)) {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'}),`
			`type: OC.SetupChecks.MESSAGE_TYPE_WARNING`
			`});`
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS. 2015-01-19 13:56:04 +03:00			`}`
			`} else {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'}),`
			`type: OC.SetupChecks.MESSAGE_TYPE_WARNING`
			`});`
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS. 2015-01-19 13:56:04 +03:00			`}`
			`} else {`
All setup messages are now properly types 2015-07-29 18:40:42 +03:00			`messages.push({`
			`msg: t('core', 'Error occurred while checking server setup'),`
			`type: OC.SetupChecks.MESSAGE_TYPE_ERROR`
			`});`
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS. 2015-01-19 13:56:04 +03:00			`}`

			`return messages;`
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server 2014-02-03 15:48:17 +04:00			`}`
			`};`
			`})();`