How bad are the X-* HTTP warning in the administration panel

I have installed NextCloud on a shared hosted server by OVH but with dedicated processor and RAM.
After the installation I got some warning in the administration that I was able to remove after reading the official NextCloud documentation.
But there are still 6 warnings (see below) that cannot be removed because I haven’t access to the Apache configuration. I get in touch with the support from OVH and they tell me they doesn’t want to change the server configuration. They advice me to switch to a dedicated server offer, which will means more cost but also more work to install and maintain everything.

Warnings
The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.

My questions to you:
Knowing that only close family members will access my NextCloud instance, how bad are these warnings? Is my instance insecure? Can it attacked from a person that doesn’t have a user account or that access public share link?

Using Shared hosting on OVH is a bad idea for me.
Some Nextcloud admins uses it on shared hosting (on digitalocean for example), but you have so much problems with that.

The performances are shared with other users, the bandwith too.

You can’t install the php extensions you want… You can’t modify .htaccess as you want and so on.

The big problem for me it’s that you can’t protect your nextcloud against XSS attack. Your nextcloud server will be really vulnerable.

The starter price on OVH for a VPS is 40€/year. You will have a good proc, 2 or 4Go of ram and 10Go of ssd.

Pros : dedicated 100Mbits/s bandwith
Fast storage
A good list of linux distro
Quite cheap for the product

Cons : cost more than shared hosting
You have to install everything and maintain it, web server-php-database-firewalling-ssh protection etc
10Go is quite small and you have to pay for 50Go more.

In my experience i use a Nextcloud on an OVH VPS 10Go in my work. Main usage is calendar - contact and some files i have to share. And another one at home on a little mini PC (raspberry like) core2quad - 4Go - 500Go SSD behind my router. I have VDSL2+ (56Mbits/s down - 18Mbits/s Up) this one is for my family - it works really great.

Again never forget to do daily backups. I have a NAS for saving datas and databases of both servers.

These warnings do not make your Nextcloud per se insecure. However, cross site scripting errors have been found a couple of times in the past: https://nextcloud.com/security/advisories/

If you use it for a calendar and don’t mind to share it with more people than wanted, or you just share a shopping list, I would perhaps take the risk.

vserver is a good start, not too expensive and you can ramp up the performance if you need more. If the budget is tight, home hosted isn’t so bad either and perhaps also a good start when you want to make your first steps with linux.

Thanks a lot for your quick and interesting answers.
More about my reasons to choose OVH and the shared hosting offer:
I have my OVH account since 2006 and already host a blog and a wiki. I paid 12€/month for the performance 1 offer with 2GB RAM and 1 processor and with 500 GB of data. The 500 GB are for me very important because I want to use NextCloud to store my private data. It is true, I cannot do everything, for instance, the Video calls aren’t working.
I have also at home a NAS solution to store my data, but a NAS can be physically stolen, there I need a cloud instance in the internet.
Moving to a VPS offer will be ok for the cost but the maintenance for all sublayer softwares: OS, Apache, PHP etc… will be to high. Moreover no updating the component at the right time could also lead to security break :frowning:
About the security
I have made some research about the X-* HTTP Headers. If I understand correctly these are headers that concern only modern web-browser. It means it will protect my website against XSS attacks from script kiddies, but real attackers do not use standard web-browser, am I right?
About the warning
After doing a curl -I on my NextCloud instance I saw that actually the X-* Header are sent but twice! This is a known issue, see https://github.com/nextcloud/server/issues/3322, and here https://github.com/owncloud/core/issues/17613. Commenting them (I know this is not a proper solution) in the .htaccess of NextCloud make them appearing only once, but I will have to re-modify the .htaccess after each update.

Hello,

I am using an OVH shared web hosting PRO offer. You can get rid of these warnings with the following modifications of Nextcloud “.htaccess” file. Of course, you will then get a warning sent by nextcloud code integrity check function about that file.

Hope, it might help. :wink:

Best regards.

Pascal

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Robots-Tag "none"
    Header always set X-Download-Options "noopen"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    SetEnv modHeadersAvailable true
  </IfModule>