Today I got a sudden warning on security & setup warning.
The “X-XSS-Protection” HTTP header is not configured to equal to “1; mode=block”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Robots-Tag” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Download-Options” HTTP header is not configured to equal to “noopen”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Permitted-Cross-Domain-Policies” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
I’m describing them to nginx.conf. But it seems that it is not valid.
Below is a screenshot of the development tool of Firefox. The response header.
This is displayed in the file list. The other items are almost the same, and the X headers are exactly the same.
Is the setting value of “add_header X - X-???-???” of nginx actually valid?
After that I tried restoring the configuration files on the server side and Nextcloud side to the initial configuration to the extent that Nextcloud runs. I still get the same warning. I replaced the Nextcloud source files as much as possible. I changed the configuration of Config.php to a simple configuration.
Is this problem server side? Or is it Nextcloud side?
I found “fastcgi modHeadersAvailable true;” with the find command and found its existence. Should I change it to false?
I made an nginx.conf file according to the Nextcloud manual on the link.
I tried removing the X header from all nginx.conf, contrary to the previous one. Then surprisingly I passed the examination of Nextcloud.
I did not explicitly change the server configuration. At first I passed the X header as it was written. And the next day it suddenly failed. Is it because modHeadersAvailable changed to True for some reason?
Glad to hear it is working now. I quite don‘t exactly understand what you did do. Doesn‘t matter though since it is working now.
Nextcloud normally sends the security headers. If they are present in the nginx configuration as well, they will be sent twice. Use fastcgi_param modHeadersAvailable true; to tell Nextcloud to not send them.
I am currently examining X headers. What I am wondering is that even though I have not written any X headers, I pass the Nextcloud validation function.
I write the X header in Nginx.conf as in the Nginx example in the NC manual. Then the top page has X headers by the Curl command and verification site. And below index.php also has X headers. And has been added. For example, X-Frame-Options SAMEORIGIN, then X-Frame-Options DENY. An X-Frame-Options SAMEORIGIN is given by something. What I intended to describe is “DENY”. At this time, the verification function of NC issues a warning.
The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗.
In my case, is it better to not write X headers in Nginx.conf? But why is the X header automatically given?
I tried restarting the server and connecting from the first computer/Mobile device, but the results were the same.
It was NC15 that I noticed this. Does Nextcloud have a feature to add X headers automatically?
Plesk has no configuration to automatically add X headers. When I create a subdomain, there are no X headers attached. I can only think of being added by Nextcloud.
I’m using nginx. Still I edit Nextcloud’s .htaccess and remove the X header. Of course I do not write any X headers in nginx.conf. Still when I access NC, X headers are added. And duplicate to two. Nevertheless, I will be warned that NC verification has not been set. I can check the X headers when I connect using a web browser development tool or Curl command. I am still wondering if a warning will come out.
When this happens I am very concerned about whether the X headers are applied or not.
X headers are allocated by NC outside of my nginx.conf. Even if I remove all the X headers from nginx.conf (including conf.d etc) or .htaccess, the X headers are applied. Where does Nextcloud give X headers?
i removed all headers from the nginx config and now nextcloud and the scanner(https://scan.nextcloud.com/) say that all headers are present. The browser and https://securityheaders.com say but that no headers are set.
