diff --git a/src/Umbraco.Web.UI/umbraco/config/lang/en.xml b/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
index e16e3108f1..e0f9495298 100644
--- a/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
+++ b/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
@@ -2109,7 +2109,17 @@ To manage your website, simply open the Umbraco back office and start adding con
X-Content-Type-Options used to protect against MIME sniffing vulnerabilities was not found.]]>
Adds a value to the httpProtocol/customHeaders section of web.config to protect against MIME sniffing vulnerabilities.
A setting to create a header protecting against MIME sniffing vulnerabilities has been added to your web.config file.
-
+
+ Strict-Transport-Security, also known as the HSTS-header, was found.]]>
+ Strict-Transport-Security was not found.]]>
+ Adds the header 'Strict-Transport-Security' with the value 'max-age=10886400; preload' to the httpProtocol/customHeaders section of web.config. Use this fix only if you will have your domains running with https for the next 18 weeks (minimum).
+ The HSTS header has been added to your web.config file.
+
+ X-XSS-Protection was found.]]>
+ X-XSS-Protection was not found.]]>
+ Adds the header 'X-XSS-Protection' with the value '1; mode=block' to the httpProtocol/customHeaders section of web.config.
+ The X-XSS-Protection header has been added to your web.config file.
+
diff --git a/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml b/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
index 3632b8162a..a6c0774582 100644
--- a/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
+++ b/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
@@ -2100,7 +2100,17 @@ To manage your website, simply open the Umbraco back office and start adding con
X-Content-Type-Options used to protect against MIME sniffing vulnerabilities was not found.]]>
Adds a value to the httpProtocol/customHeaders section of web.config to protect against MIME sniffing vulnerabilities.
A setting to create a header protecting against MIME sniffing vulnerabilities has been added to your web.config file.
-
+
+ Strict-Transport-Security, also known as the HSTS-header, was found.]]>
+ Strict-Transport-Security was not found.]]>
+ Adds the header 'Strict-Transport-Security' with the value 'max-age=10886400; preload' to the httpProtocol/customHeaders section of web.config. Use this fix only if you will have your domains running with https for the next 18 weeks (minimum).
+ The HSTS header has been added to your web.config file.
+
+ X-XSS-Protection was found.]]>
+ X-XSS-Protection was not found.]]>
+ Adds the header 'X-XSS-Protection' with the value '1; mode=block' to the httpProtocol/customHeaders section of web.config.
+ The X-XSS-Protection header has been added to your web.config file.
+
diff --git a/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs
new file mode 100644
index 0000000000..fede5c7907
--- /dev/null
+++ b/src/Umbraco.Web/HealthCheck/Checks/Security/HstsCheck.cs
@@ -0,0 +1,20 @@
+namespace Umbraco.Web.HealthCheck.Checks.Security
+{
+ [HealthCheck(
+ "E2048C48-21C5-4BE1-A80B-8062162DF124",
+ "Cookie hijacking and protocol downgrade attacks Protection (Strict-Transport-Security Header (HSTS))",
+ Description = "Checks if your site, when running with HTTPS, contains the Strict-Transport-Security Header (HSTS). If not, it adds with a default of 100 days.",
+ Group = "Security")]
+ public class HstsCheck : BaseHttpHeaderCheck
+ {
+ // The check is mostly based on the instructions in the OWASP CheatSheet
+ // (https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet)
+ // and the blogpost of Troy Hunt (https://www.troyhunt.com/understanding-http-strict-transport/)
+ // If you want do to it perfectly, you have to submit it https://hstspreload.appspot.com/,
+ // but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites.
+ public HstsCheck(HealthCheckContext healthCheckContext)
+ : base(healthCheckContext, "Strict-Transport-Security", "max-age=10886400; preload", "hSTS", true)
+ {
+ }
+ }
+}
diff --git a/src/Umbraco.Web/HealthCheck/Checks/Security/XssProtectionCheck.cs b/src/Umbraco.Web/HealthCheck/Checks/Security/XssProtectionCheck.cs
new file mode 100644
index 0000000000..897c92efa9
--- /dev/null
+++ b/src/Umbraco.Web/HealthCheck/Checks/Security/XssProtectionCheck.cs
@@ -0,0 +1,20 @@
+namespace Umbraco.Web.HealthCheck.Checks.Security
+{
+ [HealthCheck(
+ "F4D2B02E-28C5-4999-8463-05759FA15C3A",
+ "Cross-site scripting Protection (X-XSS-Protection header)",
+ Description = "This header enables the Cross-site scripting (XSS) filter in your browser. It checks for the presence of the X-XSS-Protection-header.",
+ Group = "Security")]
+ public class XssProtectionCheck : BaseHttpHeaderCheck
+ {
+ // The check is mostly based on the instructions in the OWASP CheatSheet
+ // (https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet)
+ // and the blogpost of Troy Hunt (https://www.troyhunt.com/understanding-http-strict-transport/)
+ // If you want do to it perfectly, you have to submit it https://hstspreload.appspot.com/,
+ // but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites.
+ public XssProtectionCheck(HealthCheckContext healthCheckContext)
+ : base(healthCheckContext, "X-XSS-Protection", "1; mode=block", "xssProtection", true)
+ {
+ }
+ }
+}
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 8a0106e0b1..b578e20401 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -337,6 +337,8 @@
+
+