Support intro
Sorry to hear you’re facing problems
After updated from NC 16 to 17.0.1 the NC Security & setup warning offers
-
The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
-
The “X-Robots-Tag” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
-
The “X-Download-Options” HTTP header is not set to “noopen”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
-
The “X-Permitted-Cross-Domain-Policies” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
-
The “Referrer-Policy” HTTP header is not set to “no-referrer”, “no-referrer-when-downgrade”, “strict-origin”, “strict-origin-when-cross-origin” or “same-origin”. This can leak referer information. See the W3C Recommendation .
That’s a funny message because I obviously already set the header in the apache configuration and it worked smoothly until this upgrade
Some checks later I facing out that now NC 17.0.1 tries to set this headers via the .htaccess file. In consequence it is necessary to remove the header settings from the apache conf to get a OK check by the NC Security & setup warning.
That’s in principle ok but in this case for this setting the messages is absolut totally wrong and confusing
Nextcloud version 17.0.1
Operating system and version: Ubuntu 18.04
Apache or nginx version: Apache/2.4.29
PHP version : php 7.2.4