From 7d23d2971bd74ded9856c010cd35a9d3d0e062d8 Mon Sep 17 00:00:00 2001 From: Jeavon Leopold Date: Thu, 28 Oct 2021 15:54:37 +0100 Subject: [PATCH 1/2] Fix the basehttpheader health check so that it's checking the root of the domain instead of the /umbraco path. --- .../HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs b/src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs index eeb291c41faf..a3e861e18041 100644 --- a/src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs +++ b/src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs @@ -79,7 +79,7 @@ protected async Task CheckForHeader() var success = false; // Access the site home page and check for the click-jack protection header or meta tag - Uri url = _hostingEnvironment.ApplicationMainUrl; + var url = _hostingEnvironment.ApplicationMainUrl.GetLeftPart(UriPartial.Authority); try { From 3dee42698567b6b32bd87fe93b9d84d141169f12 Mon Sep 17 00:00:00 2001 From: Jeavon Leopold Date: Thu, 28 Oct 2021 15:56:31 +0100 Subject: [PATCH 2/2] Remove unused value from security health checks (it was used in v8 for fixing) --- .../Checks/Security/BaseHttpHeaderCheck.cs | 20 ++++++------------- .../Checks/Security/ClickJackingCheck.cs | 4 ++-- .../Checks/Security/ExcessiveHeadersCheck.cs | 4 ++-- .../HealthChecks/Checks/Security/HstsCheck.cs | 4 ++-- .../Checks/Security/NoSniffCheck.cs | 4 ++-- .../Checks/Security/XssProtectionCheck.cs | 4 ++-- 6 files changed, 16 insertions(+), 24 deletions(-) diff --git a/src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs b/src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs index a3e861e18041..99deaa2af7f9 100644 --- a/src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs +++ b/src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs @@ -1,4 +1,4 @@ -// Copyright (c) Umbraco. +// Copyright (c) Umbraco. // See LICENSE for more details. using System; @@ -20,8 +20,8 @@ namespace Umbraco.Cms.Core.HealthChecks.Checks.Security public abstract class BaseHttpHeaderCheck : HealthCheck { private readonly IHostingEnvironment _hostingEnvironment; + private readonly ILocalizedTextService _textService; private readonly string _header; - private readonly string _value; private readonly string _localizedTextPrefix; private readonly bool _metaTagOptionAvailable; private static HttpClient s_httpClient; @@ -33,26 +33,18 @@ protected BaseHttpHeaderCheck( IHostingEnvironment hostingEnvironment, ILocalizedTextService textService, string header, - string value, string localizedTextPrefix, bool metaTagOptionAvailable) { - LocalizedTextService = textService ?? throw new ArgumentNullException(nameof(textService)); + _textService = textService ?? throw new ArgumentNullException(nameof(textService)); _hostingEnvironment = hostingEnvironment; _header = header; - _value = value; _localizedTextPrefix = localizedTextPrefix; _metaTagOptionAvailable = metaTagOptionAvailable; } private static HttpClient HttpClient => s_httpClient ??= new HttpClient(); - - /// - /// Gets the localized text service. - /// - protected ILocalizedTextService LocalizedTextService { get; } - /// /// Gets a link to an external read more page. /// @@ -95,12 +87,12 @@ protected async Task CheckForHeader() } message = success - ? LocalizedTextService.Localize($"healthcheck", $"{_localizedTextPrefix}CheckHeaderFound") - : LocalizedTextService.Localize($"healthcheck", $"{_localizedTextPrefix}CheckHeaderNotFound"); + ? _textService.Localize($"healthcheck", $"{_localizedTextPrefix}CheckHeaderFound") + : _textService.Localize($"healthcheck", $"{_localizedTextPrefix}CheckHeaderNotFound"); } catch (Exception ex) { - message = LocalizedTextService.Localize("healthcheck","healthCheckInvalidUrl", new[] { url.ToString(), ex.Message }); + message = _textService.Localize("healthcheck","healthCheckInvalidUrl", new[] { url.ToString(), ex.Message }); } return diff --git a/src/Umbraco.Core/HealthChecks/Checks/Security/ClickJackingCheck.cs b/src/Umbraco.Core/HealthChecks/Checks/Security/ClickJackingCheck.cs index 957ee0b71507..8586989f32a8 100644 --- a/src/Umbraco.Core/HealthChecks/Checks/Security/ClickJackingCheck.cs +++ b/src/Umbraco.Core/HealthChecks/Checks/Security/ClickJackingCheck.cs @@ -1,4 +1,4 @@ -// Copyright (c) Umbraco. +// Copyright (c) Umbraco. // See LICENSE for more details. using Umbraco.Cms.Core.Hosting; @@ -20,7 +20,7 @@ public class ClickJackingCheck : BaseHttpHeaderCheck /// Initializes a new instance of the class. /// public ClickJackingCheck(IHostingEnvironment hostingEnvironment, ILocalizedTextService textService) - : base(hostingEnvironment, textService, "X-Frame-Options", "sameorigin", "clickJacking", true) + : base(hostingEnvironment, textService, "X-Frame-Options", "clickJacking", true) { } diff --git a/src/Umbraco.Core/HealthChecks/Checks/Security/ExcessiveHeadersCheck.cs b/src/Umbraco.Core/HealthChecks/Checks/Security/ExcessiveHeadersCheck.cs index 34c76f2b6dc2..d5eac030389d 100644 --- a/src/Umbraco.Core/HealthChecks/Checks/Security/ExcessiveHeadersCheck.cs +++ b/src/Umbraco.Core/HealthChecks/Checks/Security/ExcessiveHeadersCheck.cs @@ -1,4 +1,4 @@ -// Copyright (c) Umbraco. +// Copyright (c) Umbraco. // See LICENSE for more details. using System; @@ -53,7 +53,7 @@ private async Task CheckForHeaders() { string message; var success = false; - var url = _hostingEnvironment.ApplicationMainUrl.GetLeftPart(UriPartial.Authority);; + var url = _hostingEnvironment.ApplicationMainUrl.GetLeftPart(UriPartial.Authority); // Access the site home page and check for the headers var request = new HttpRequestMessage(HttpMethod.Head, url); diff --git a/src/Umbraco.Core/HealthChecks/Checks/Security/HstsCheck.cs b/src/Umbraco.Core/HealthChecks/Checks/Security/HstsCheck.cs index b2166b88bd0d..7902f4e3f873 100644 --- a/src/Umbraco.Core/HealthChecks/Checks/Security/HstsCheck.cs +++ b/src/Umbraco.Core/HealthChecks/Checks/Security/HstsCheck.cs @@ -1,4 +1,4 @@ -// Copyright (c) Umbraco. +// Copyright (c) Umbraco. // See LICENSE for more details. using Umbraco.Cms.Core.Hosting; @@ -27,7 +27,7 @@ public class HstsCheck : BaseHttpHeaderCheck /// but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites. /// public HstsCheck(IHostingEnvironment hostingEnvironment, ILocalizedTextService textService) - : base(hostingEnvironment, textService, "Strict-Transport-Security", "max-age=10886400", "hSTS", true) + : base(hostingEnvironment, textService, "Strict-Transport-Security", "hSTS", true) { } diff --git a/src/Umbraco.Core/HealthChecks/Checks/Security/NoSniffCheck.cs b/src/Umbraco.Core/HealthChecks/Checks/Security/NoSniffCheck.cs index 035733e4ee01..78ee2c0e124f 100644 --- a/src/Umbraco.Core/HealthChecks/Checks/Security/NoSniffCheck.cs +++ b/src/Umbraco.Core/HealthChecks/Checks/Security/NoSniffCheck.cs @@ -1,4 +1,4 @@ -// Copyright (c) Umbraco. +// Copyright (c) Umbraco. // See LICENSE for more details. using Umbraco.Cms.Core.Hosting; @@ -20,7 +20,7 @@ public class NoSniffCheck : BaseHttpHeaderCheck /// Initializes a new instance of the class. /// public NoSniffCheck(IHostingEnvironment hostingEnvironment, ILocalizedTextService textService) - : base(hostingEnvironment, textService, "X-Content-Type-Options", "nosniff", "noSniff", false) + : base(hostingEnvironment, textService, "X-Content-Type-Options", "noSniff", false) { } diff --git a/src/Umbraco.Core/HealthChecks/Checks/Security/XssProtectionCheck.cs b/src/Umbraco.Core/HealthChecks/Checks/Security/XssProtectionCheck.cs index 6c05c39f4646..570ca8002d74 100644 --- a/src/Umbraco.Core/HealthChecks/Checks/Security/XssProtectionCheck.cs +++ b/src/Umbraco.Core/HealthChecks/Checks/Security/XssProtectionCheck.cs @@ -1,4 +1,4 @@ -// Copyright (c) Umbraco. +// Copyright (c) Umbraco. // See LICENSE for more details. using Umbraco.Cms.Core.Hosting; @@ -27,7 +27,7 @@ public class XssProtectionCheck : BaseHttpHeaderCheck /// but then you should include subdomains and I wouldn't suggest to do that for Umbraco-sites. /// public XssProtectionCheck(IHostingEnvironment hostingEnvironment, ILocalizedTextService textService) - : base(hostingEnvironment, textService, "X-XSS-Protection", "1; mode=block", "xssProtection", true) + : base(hostingEnvironment, textService, "X-XSS-Protection", "xssProtection", true) { }