Confusing security messages

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

After updated from NC 16 to 17.0.1 the NC Security & setup warning offers

  • The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

  • The “X-Robots-Tag” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

  • The “X-Download-Options” HTTP header is not set to “noopen”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

  • The “X-Permitted-Cross-Domain-Policies” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

  • The “Referrer-Policy” HTTP header is not set to “no-referrer”, “no-referrer-when-downgrade”, “strict-origin”, “strict-origin-when-cross-origin” or “same-origin”. This can leak referer information. See the W3C Recommendation :arrow_upper_right:.

That’s a funny message because I obviously already set the header in the apache configuration and it worked smoothly until this upgrade

Some checks later I facing out that now NC 17.0.1 tries to set this headers via the .htaccess file. In consequence it is necessary to remove the header settings from the apache conf to get a OK check by the NC Security & setup warning.

That’s in principle ok but in this case for this setting the messages is absolut totally wrong and confusing

Nextcloud version 17.0.1
Operating system and version: Ubuntu 18.04
Apache or nginx version: Apache/2.4.29
PHP version : php 7.2.4

You should make sure that your header lines are only set once to prevent such error messages, as described here:

THX, yes I know. The point of my message was the confusing messages of the security check. I think it should be possible to post a better information instead of tell the admin to add some things which he have to remove. Also I wonder why the team put header settings to the .htaccess … and when they do that why they do that incomplete
since the
Header always set Strict-Transport-Security …
have to be still configured by the Apache config

I agree, there is always room for improvements :wink: As a developer it is always difficult to setup checks for all kind of wrong configurations. Afaik the default message is being displayed because that case hasn’t been thought about during the coding phase.

But in this case the “standard” was to have the settings in the apache config until 16.xxx. For my knowledge it is a new “implementation” to have the settings in the .htaccess. So if I decided as a developer to switch them to another location it should be clear to check if the security check is going right or wrong - even more so since the most people will upgrade and not install for the first time. Otherwise it is useless to have a security check.