Hi,
after the update from nc17 to nc18, the http header warning reappeared.
> The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗.
The messages are in the standard file /var/www/nextcloud/.htaccess
<IfModule mod_env.c> # Add security and privacy related headers Header always set Referrer-Policy "no-referrer" Header always set X-Content-Type-Options "nosniff" Header always set X-Download-Options "noopen" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Permitted-Cross-Domain-Policies "none" Header always set X-Robots-Tag "none" Header always set X-XSS-Protection "1; mode=block" SetEnv modHeadersAvailable true </IfModule>
And in /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:443>
DocumentRoot /var/www
ServerName Nextcloud
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
<IfModule mod_env.c>
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Frame-Options "SAMEORIGIN"
Header always set Feature-Policy "autoplay 'none';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'"
Header set Content-Security-Policy "none"
SetEnv modHeadersAvailable true
</IfModule>
</VirtualHost>
And the /etc/apache2/sites-enabled/nextcloud.conf
# Alias /nextcloud /var/www/nextcloud/
<Directory /var/www/nextcloud/>
SSLRenegBufferSize 10486000
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
SSLRequireSSL
</Directory>
Redirect 301 /.well-known/carddav https://DOMAIN/nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav https://DOMAIN/nextcloud/remote.php/dav
What is wrong configured?
Thank you!