I use Nextcloud with Apache 2.4.27. According to the “Security & setup warnings” in the admin panel, I set the following options in my Apache’s httpd.conf:
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Robots-Tag none
Header set X-Frame-Options SAMEORIGIN
With these additional settings, the security & setup warnings disappear. However, when I test my web server’s security, using the security test at https://www.htbridge.com/websec/, it tells me that I should use the following settings
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-Frame-Options SAMEORIGIN
and if I do that, I get a good security grade (B). However, with those settings, Nextcloud claims the following:
The “X-XSS-Protection” HTTP header is not configured to equal to “1; mode=block”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Robots-Tag” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.
Why do I see these warnings? I would expect that the options are always set if I use the keyword ‘always’ in my apache config. If I remove it, warnings disappear in the admin panel, but I get an F grade for my web server’s security.
For optimal security, administrators are encouraged to serve these basic HTTP headers by the Web server to enforce them on response.
In the default .htaccess there are indeed set without “always”:
<IfModule mod_env.c>
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
SetEnv modHeadersAvailable true
</IfModule>
But as far as I understand I would agree that “always” should be also accepted by nextcloud.
Testing my server with https://www.htbridge.com/websec/ and giving explicitly the nextcloud subfolder (with .htaccess) there, I get A+ grade with all headers “properly set” without complaining the missing “always” .
For just https://mydomain.com/nextcloud, I only get a permanent redirect to the index.php and only in the index.php, Nextcloud actually adds the header.
If you want to proof that the header is not set correctly or not analyzed, you need to show us how in both cases your header looks like. We then can perhaps push this to github in case the header-detection fails somehow.
with the htbridge tool, I get a B grade for security, because I have not enabled HPKP. Anyway, my Apache configuration uses following settings:
# this is for nextcloud
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-Frame-Options SAMEORIGIN
</IfModule>
And in Nextcloud, I definitely get the setup warnings that the headers are configured wrong. However, if I remove the keyword ‘always’ in my Apache config, Nextcloud does no longer complain, but with the security check I get a straight F. I also checked the .htaccess file in the Nextcloud directory. It has the same contents in it as @MichaIng told.