Manually applying PR: Three new healthchecks #1522

2018-04-12 18:38:00 +02:00
parent b0f0a7afc4
commit 29d9dcffb8
5 changed files with 64 additions and 2 deletions
--- a/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
+++ b/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
@@ -2109,7 +2109,17 @@ To manage your website, simply open the Umbraco back office and start adding con
        <key alias="noSniffCheckHeaderNotFound"><![CDATA[The header or meta-tag <strong>X-Content-Type-Options</strong> used to protect against MIME sniffing vulnerabilities was not found.]]></key>
        <key alias="noSniffSetHeaderInConfigDescription">Adds a value to the httpProtocol/customHeaders section of web.config to protect against MIME sniffing vulnerabilities.</key>
        <key alias="noSniffSetHeaderInConfigSuccess">A setting to create a header protecting against MIME sniffing vulnerabilities has been added to your web.config file.</key>
-        	
+
+        <key alias="hSTSCheckHeaderFound"><![CDATA[The header <strong>Strict-Transport-Security</strong>, also known as the HSTS-header, was found.]]></key>
+        <key alias="hSTSCheckHeaderNotFound"><![CDATA[The header <strong>Strict-Transport-Security</strong> was not found.]]></key>
+        <key alias="hSTSSetHeaderInConfigDescription">Adds the header 'Strict-Transport-Security' with the value 'max-age=10886400; preload' to the httpProtocol/customHeaders section of web.config. Use this fix only if you will have your domains running with https for the next 18 weeks (minimum).</key>
+        <key alias="hSTSSetHeaderInConfigSuccess">The HSTS header has been added to your web.config file.</key>
+
+        <key alias="xssProtectionCheckHeaderFound"><![CDATA[The header <strong>X-XSS-Protection</strong> was found.]]></key>
+        <key alias="xssProtectionCheckHeaderNotFound"><![CDATA[The header <strong>X-XSS-Protection</strong> was not found.]]></key>
+        <key alias="xssProtectionSetHeaderInConfigDescription">Adds the header 'X-XSS-Protection' with the value '1; mode=block' to the httpProtocol/customHeaders section of web.config. </key>
+        <key alias="xssProtectionSetHeaderInConfigSuccess">The X-XSS-Protection header has been added to your web.config file.</key>
+
        <!-- The following key get these tokens passed in:
 	    0: Comma delimitted list of headers found
  	-->
--- a/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
+++ b/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
@@ -2100,7 +2100,17 @@ To manage your website, simply open the Umbraco back office and start adding con
        <key alias="noSniffCheckHeaderNotFound"><![CDATA[The header or meta-tag <strong>X-Content-Type-Options</strong> used to protect against MIME sniffing vulnerabilities was not found.]]></key>
        <key alias="noSniffSetHeaderInConfigDescription">Adds a value to the httpProtocol/customHeaders section of web.config to protect against MIME sniffing vulnerabilities.</key>
        <key alias="noSniffSetHeaderInConfigSuccess">A setting to create a header protecting against MIME sniffing vulnerabilities has been added to your web.config file.</key>
-        			
+
+        <key alias="hSTSCheckHeaderFound"><![CDATA[The header <strong>Strict-Transport-Security</strong>, also known as the HSTS-header, was found.]]></key>
+        <key alias="hSTSCheckHeaderNotFound"><![CDATA[The header <strong>Strict-Transport-Security</strong> was not found.]]></key>
+        <key alias="hSTSSetHeaderInConfigDescription">Adds the header 'Strict-Transport-Security' with the value 'max-age=10886400; preload' to the httpProtocol/customHeaders section of web.config. Use this fix only if you will have your domains running with https for the next 18 weeks (minimum).</key>
+        <key alias="hSTSSetHeaderInConfigSuccess">The HSTS header has been added to your web.config file.</key>
+
+        <key alias="xssProtectionCheckHeaderFound"><![CDATA[The header <strong>X-XSS-Protection</strong> was found.]]></key>
+        <key alias="xssProtectionCheckHeaderNotFound"><![CDATA[The header <strong>X-XSS-Protection</strong> was not found.]]></key>
+        <key alias="xssProtectionSetHeaderInConfigDescription">Adds the header 'X-XSS-Protection' with the value '1; mode=block' to the httpProtocol/customHeaders section of web.config. </key>
+        <key alias="xssProtectionSetHeaderInConfigSuccess">The X-XSS-Protection header has been added to your web.config file.</key>
+
        <!-- The following key get these tokens passed in:
 	    0: Comma delimitted list of headers found
  	-->
--- a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs
+++ b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs
@@ -0,0 +1,20 @@
+namespace Umbraco.Web.HealthCheck.Checks.Security
+{
+    [HealthCheck(
+        "E2048C48-21C5-4BE1-A80B-8062162DF124",
+        "Cookie hijacking and protocol downgrade attacks Protection (Strict-Transport-Security Header (HSTS))",
+        Description = "Checks if your site, when running with HTTPS, contains the Strict-Transport-Security Header (HSTS). If not, it adds with a default of 100 days.",
+        Group = "Security")]
+    public class HstsCheck : BaseHttpHeaderCheck
+    {
+        // The check is mostly based on the instructions in the OWASP CheatSheet
+        // (https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet)
+        // and the blogpost of Troy Hunt (https://www.troyhunt.com/understanding-http-strict-transport/)
+        // If you want do to it perfectly, you have to submit it https://hstspreload.appspot.com/,
+        // but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites.
+        public HstsCheck(HealthCheckContext healthCheckContext)
+            : base(healthCheckContext, "Strict-Transport-Security", "max-age=10886400; preload", "hSTS", true)
+        {
+        }
+    }
+}
--- a/src/Umbraco.Web/HealthCheck/Checks/Security/XssProtectionCheck.cs
+++ b/src/Umbraco.Web/HealthCheck/Checks/Security/XssProtectionCheck.cs
@@ -0,0 +1,20 @@
+namespace Umbraco.Web.HealthCheck.Checks.Security
+{
+    [HealthCheck(
+        "F4D2B02E-28C5-4999-8463-05759FA15C3A",
+        "Cross-site scripting Protection (X-XSS-Protection header)",
+        Description = "This header enables the Cross-site scripting (XSS) filter in your browser. It checks for the presence of the X-XSS-Protection-header.",
+        Group = "Security")]
+    public class XssProtectionCheck : BaseHttpHeaderCheck
+    {
+        // The check is mostly based on the instructions in the OWASP CheatSheet
+        // (https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet)
+        // and the blogpost of Troy Hunt (https://www.troyhunt.com/understanding-http-strict-transport/)
+        // If you want do to it perfectly, you have to submit it https://hstspreload.appspot.com/,
+        // but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites.
+        public XssProtectionCheck(HealthCheckContext healthCheckContext)
+            : base(healthCheckContext, "X-XSS-Protection", "1; mode=block", "xssProtection", true)
+        {
+        }
+    }
+}
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -337,6 +337,8 @@
    <Compile Include="Editors\CodeFileController.cs" />
    <Compile Include="Editors\TourController.cs" />
    <Compile Include="Features\EnabledFeatures.cs" />
+    <Compile Include="HealthCheck\Checks\Security\XssProtectionCheck.cs" />
+    <Compile Include="HealthCheck\Checks\Security\HstsCheck.cs" />
    <Compile Include="Models\BackOfficeTourFilter.cs" />
    <Compile Include="Models\ContentEditing\BackOfficePreview.cs" />
    <Compile Include="Models\Mapping\AutoMapperExtensions.cs" />