__Host-Prefix wrong

eason · February 6, 2023, 8:00am

Hardenings

Rating A
X __Host-Prefix
The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.

HI I tried the method in the forum, the error is also displayed, and there is only A but not A+, does anyone have a better suggestion?

like this:
1.
vi “/var/www/nextcloud/config/config.php”
‘overwriteprotocol’ => ‘https’,
2.
vi /etc/apache2/sites-available/000-default.conf
Header edit Set-Cookie ^(.*)$ “$1;HttpOnly;Secure;SameSite=Strict”

Running Nextcloud 25.0.3.2

Latest patch level

Major version still supported

Scanned at 2023-02-06 07:30:27

tflidd · February 6, 2023, 10:39am

There are two conditions:

eason · February 7, 2023, 2:33am

OK， it seems that the cause of this error is because my folder is
“/var/www/nextcloud/”
not
“var/www/”

I saw " this is only a “hardening” but not a security vulnerability per se"
So…Ok, let it continue to Rating A
Thanks you.

tflidd · February 15, 2023, 7:54am

The test, and also the messages in the admin interface, they are not always hard error messages where something is really broken, often these are warnings and tips what you can do better but it doesn’t apply in all cases.