Header configuration with nextcloud in a subfolder


how can I properly setup my header configuration, when nextcloud is in a subfolder?

The nextcloud folder is unter /var/www/nextcloud including the standard .htaccess.

Unter /etc/apache2/sites-enabled/ are two files:
000-default.conf nextcloud.conf

If I check under https://securityheaders.com my nextcloud url, there are no config errors, but if I setup a .htaccess unter main (www), there is no effect. If I check my domain (alone), no headers are secured.

If I save these settings in 000-default.conf , the configuration seems to have duplicates on domain/nextcloud.
securityheaders.com gives me an A rating, but nextcloud tells me these options are missing (when they have doublicates).

<IfModule mod_env.c>
        # Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Frame-Options "SAMEORIGIN"
Header always set Feature-Policy "autoplay 'none';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'"
Header set Content-Security-Policy "none"
SetEnv modHeadersAvailable true

I am not sure how to get these options properly setup for both https://domain and https://domain/nextcloud


I had to comment the line
# Header set X-Content-Type-Options “nosniff”
in .htaccess
to make the header error disappear.

To get rid of any warning in securityheaders.com and nextcloud, I need to uncomment the whole header package in nextcloud/.htaccess

#  <IfModule mod_env.c>
    # Add security and privacy related headers
#    Header always set Referrer-Policy "no-referrer"
#    Header always set X-Content-Type-Options "nosniff"
#    Header always set X-Download-Options "noopen"
#    Header always set X-Frame-Options "SAMEORIGIN"
#    Header always set X-Permitted-Cross-Domain-Policies "none"
#    Header always set X-Robots-Tag "none"
#    Header always set X-XSS-Protection "1; mode=block"
#    SetEnv modHeadersAvailable true
#  </IfModule>

But this should no be desired solution?

I suppose the nextcloud/.htaccess will be overwritten on updates anyway?

There exists a pull request related to this issue:

I had hoped it would have been resolved in the meantime, but is seems it is still in discussion.

Of course commenting the lines in .htaccess is not a final solution, and must be reapplied after each update. But it helps to get rid of the warnings.

1 Like

Thanks, the mentioned onsuccess option does not work here. “Internal Server Error”

Header setifempty X-Content-Type-Options “nosniff”

works here.

Just replacing always with setifempty ?

hm, this is not working: "500 Internal Server Error”

I need to uncomment it completely, strange.

What is in your apache error log?

I replaced “always set” by “setifempty”, as above.

Sorry found my mistake, it is working.

I still have two warning at the check page, can I get rid of them too?

Content-Security-Policy	No valid directives found in policy.
Feature-Policy	There was a duplicate Feature-Policy header.