Help with nextcloud needed headers

kevdog · June 10, 2020, 2:18pm

Hi I’ve recently upgraded to Nextcloud 18.0.6. I’m receiving the following warnings about my setup:

The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The “X-Robots-Tag” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The “X-Download-Options” HTTP header is not set to “noopen”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The “X-Permitted-Cross-Domain-Policies” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

I’m using nginx as my webserver with nextcloud. I also in another installation have a reverse proxy (RP) involved. Are these headers added at the RP level or webserver level or both?

This is a relatively new finding for me since I really haven’t changed the nginx configuration at all.

Here is a snippet of my nginx config vdomain file for nextcloud:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name nextcloud.domain.com;

    access_log /var/log/nginx/nextcloud.domain.com.access.log main buffer=32k;
    error_log /var/log/nginx/nextcloud.domain.com.error.log;

    include snippets/domain.com.cert.conf;
    include snippets/nextcloud-headers.conf;

Here is the snippets/nextcloud-headers.conf file:

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
#
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

When I do an nginx -T the configuration is printed with the included file at the bottom?
Do these directives need to go elsewhere?

kevdog · June 12, 2020, 3:11am

I thought I had this problem solved by just adding one line in the headers file – but I can see today I’m still getting these errors:

* The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
* The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
* The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
* The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
* The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

Did something change between 18.04 and 18.05? I didn’t used to get these errors and I didn’t change my nginx setup at all.

bastien · June 12, 2020, 6:29am

Nothing change, I have nginx too and no pb. Thats not matter don’t worry.
Did you add your “include snippets…” at the end of
location ~ .(?:css|js|woff2?|svg|gif|map)$ {
include snippets…;
}

Restart nginx after

kevdog · June 14, 2020, 10:28am

Yes I did. Here is my nginx vdomain file.
https://hastebin.com/akukeworuf.nginx

It’s very similar to the actual domain file listed here: https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

I’ve restarted nginx a bunch of times. Very strange.