Hi I’ve recently upgraded to Nextcloud 18.0.6. I’m receiving the following warnings about my setup:
- The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The “X-Robots-Tag” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The “X-Download-Options” HTTP header is not set to “noopen”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
- The “X-Permitted-Cross-Domain-Policies” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
I’m using nginx as my webserver with nextcloud. I also in another installation have a reverse proxy (RP) involved. Are these headers added at the RP level or webserver level or both?
This is a relatively new finding for me since I really haven’t changed the nginx configuration at all.
Here is a snippet of my nginx config vdomain file for nextcloud:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nextcloud.domain.com;
access_log /var/log/nginx/nextcloud.domain.com.access.log main buffer=32k;
error_log /var/log/nginx/nextcloud.domain.com.error.log;
include snippets/domain.com.cert.conf;
include snippets/nextcloud-headers.conf;
Here is the snippets/nextcloud-headers.conf file:
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
#
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
When I do an nginx -T
the configuration is printed with the included file at the bottom?
Do these directives need to go elsewhere?