How to prefix the cookie with __Host-?

theking2 · March 29, 2025, 9:46pm

The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.

where can I set the cookie prefix?

SysKeeper · March 30, 2025, 9:27am

Please don’t just omit the support template, there’s a reason it’s there. Which NC version are you using? I assume this warning is already fixed in a later version …

scubamuc · March 30, 2025, 9:36am

you could try this: How to edit config.php for Nextcloud snap even though you’re not using the snap… it should be similar

occ config:system:set session.cookie_secure --value="true"

github.com/nextcloud/server

Fix A+ rating when checking with Nextcloud Security Scan.

stable31 ← DaleBCooper:fix-a+-rating

opened 06:22PM - 01 Mar 25 UTC

DaleBCooper

+7 -7

Due to commit 33d7019 session.cookie_secure=true is not set when accessing /stat…us.php. This results in a degration from A+ to A rating due to missing __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies. See: https://help.nextcloud.com/t/update-nextcloud-to-31-0-0-now-scaner-showing-rating-a/218485/

SysKeeper · March 30, 2025, 12:21pm

Are you sure that’s working? That’s a PHP ini config, not a Nextcloud one?
But even then it’s not necessary, as we set it automatically server/lib/base.php at 988b9c479dc72d0b9add899d6f8eb66cbb3fbaa2 · nextcloud/server · GitHub. Only the status.php did not setup a session in non-recent versions.