Headers warning after update

Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 31.0.6
  • Operating system and version (e.g., Ubuntu 24.04):
    • ubuntu 22.04 / docker
  • Web server and version (e.g, Apache 2.4.25):
    • not relevant
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • nginx proxy manager
  • PHP version (e.g, 8.3):
    • replace me
  • Is this the first time you’ve seen this error? (Yes / No):
    • yes
  • When did this problem seem to first start?
    • after update
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • docker
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • no

Summary of the issue you are facing:

In the overview, I am seeing the hints below. Sorry its in German. I basically tells me there a a lot of headers to be set.
Do I need to set them all in my reverse proxy?
Besides hsts I have no clue how to set them. And this was already set before.

This is how it looks like:


Do I need to add
X-Content-Type-Options = nosniff
X-Robots-Tag = noindex, nofollow

Steps to replicate it (hint: details matter!):

  1. Update instance

Log entries

Einige Header sind in deiner Instanz nicht richtig eingestellt - Der HTTP-Header X-Content-Type-Options ist nicht auf nosniff gesetzt. Dies stellt ein potenzielles Sicherheits- oder Datenschutzrisiko dar und es wird empfohlen, diese Einstellung zu ändern. - Der HTTP-Header X-Robots-Tag ist nicht auf noindex,nofollow gesetzt. Dies stellt ein potenzielles Sicherheits- oder Datenschutzrisiko dar und es wird empfohlen, diese Einstellung zu ändern. - Der HTTP-Header X-Frame-Options ist nicht auf sameorigin gesetzt. Dies stellt ein potenzielles Sicherheits- oder Datenschutzrisiko dar und es wird empfohlen, diese Einstellung zu ändern. - Der HTTP-Header X-Permitted-Cross-Domain-Policies ist nicht auf none gesetzt. Dies stellt ein potenzielles Sicherheits- oder Datenschutzrisiko dar und es wird empfohlen, diese Einstellung zu ändern. - Der HTTP-Header X-XSS-Protection enthält nicht 1; mode=block. Dies stellt ein potenzielles Sicherheits- oder Datenschutzrisiko dar und es wird empfohlen, diese Einstellung zu ändern. - Der HTTP-Header Referrer-Policy ist nicht auf “no-referrer”, “no-referrer-when-downgrade”, “strict-origin”, “strict-origin-when-cross-origin” oder “same-origin” gesetzt. Dadurch können Verweisinformationen preisgegeben werden. Siehe die W3C Recommendation. - Der Strict-Transport-Security-HTTP-Header ist nicht gesetzt (er sollte mindestens 15552000 Sekunden betragen). Für erhöhte Sicherheit wird empfohlen, HSTS zu aktivieren

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

PASTE HERE

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

PASTE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

PASTE HERE

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

  • Use the preformatted text formatting option in the editor for all log entries and configuration output.
  • If screenshots are useful, feel free to include them.
    • If possible, also include key error output in text form so it can be searched for.
  • Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.
1 Like

Yes, you need to set those security headers in your reverse proxy. You can add them under your nginx proxy manager’s advanced settings using:

add_header X-Content-Type-Options “nosniff”;
add_header X-Robots-Tag “noindex, nofollow”;
add_header X-Frame-Options “SAMEORIGIN”;
add_header X-Permitted-Cross-Domain-Policies “none”;
add_header X-XSS-Protection “1; mode=block”;
add_header Referrer-Policy “no-referrer”;
add_header Strict-Transport-Security “max-age=15552000; includeSubDomains” always;

Restart the proxy after saving. These headers improve security and resolve the warnings.

1 Like