HTTP Headers in Docker

Hello everyone,

I wanted to say this has been going on for a while and is extrememly annoying.

I am trying to set up Nextcloud behind a Nginx reverse proxy (Homebrewed not nginx-proxy).
I put all my headers in the Nginx instance as a good practice. Unfortunately then Nextcloud spits out 2 headers for

The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

So they are set - however I would like these to go away, is there any way to have nextcloud stop sending these headers?
Is it insecure to have 2 sets of headers?

Thank you.

1 Like

if you use apache as the web server for nextcloud look at .htaccess in /var/www/nextcloud (or where ever nextcloud is installed to.)

Even with this disabled the headers are still sent for some reason.

I restarted the docker compose instance and still it puts the headers.

could you specify “they” and “these”?

if you set the headers correct the warning will go away. or?

As you can see in my previous post with the image.

I am receiving two sets of headers. One from my reverse proxy setting them and then one from my NextCloud instance. Is there a way to prevent Nextcloud from sending them because .htaccess doesn’t seem to work in the apache image.

However, if I can’t I will just ignore them I just don’t want it to be an issue if there is some flaw due to there being two headers.

nextcloud is a php program. it doesn’t send headers.
headers are typically send by web server and/or reverse proxy.

and headers are defined in web server/reverse proxy config file.

did you try egrep -r "SAMEORIGIN|nosniff" /? (may take a while.)
if you use docker we have to use another approach. but similar.

I apologize for the confusion, yes that’s why I keep saying “Nextcloud.”

I am using the docker instance of it. I thought I posted this thread in the (Docker, Snappy…) sub-forum.

I have restarted the docker instance after editing the .htaccess and it still is sending the headers through the reverse proxy.

Proxy settings from the docker-compose

                  - reverseproxy
          image: mariadb:latest
          container_name: mariadb
          command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
          restart: always
                  - "3306"
                  - ./cloud/db/:/var/lib/mysql
                  - MYSQL_ROOT_PASSWORD=test123
                  - MYSQL_PASSWORD=test12
                  - MYSQL_DATABASE=nextcloud
                  - MYSQL_USER=nextcloud
                  - proxy

                  - reverseproxy
                  - mariadb
          image: nextcloud
          container_name: nextcloud
          restart: always
                  - "80"
                  - ./cloud/www/:/var/www/html
                    #                  - ./cloud/apache/:/etc/apache2/
                  - NEXTCLOUD_OVERWRITEPROTOCOL=https
                  - NEXTCLOUD_OVERWRITEWEBROOT=/cloud
                  - proxy

the apache in the nextcloud container and the nginx reverse proxy have there own config files in the image.

i think it’s not a good idea to change the apache conf file. seems that you tried it here:

#                  - ./cloud/apache/:/etc/apache2/

the reverseproxy part of the docker-compose is missing.

I didn’t feel it important, as I said I have my homebrewed system. It is not the one that nextcloud uses on their github readme.

I did try it but it also didn’t work so I scrapped it, as you can see by the # symbol. I will grab my reverse-proxy conf for the nextcloud instance so you can see what headers I am putting on.

Nginx.conf (The main config) the common*.conf (s) add http headers

user nginx;
worker_processes 1;

error_log  /var/run/nginx/error_log.log warn;
pid        /var/run/;

        worker_connections  1024;

include common.conf;
include common_location.conf;
include ssl.conf;
include /etc/nginx/static/*;
include /etc/nginx/upstream/*;
sendfile on;

the common.conf

add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options              "SAMEORIGIN" always;
add_header X-Content-Type-Options       "nosniff" always;
add_header X-XSS-Protection             "1; mode=block" always;


proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   $scheme;
proxy_set_header    Host                $host;
proxy_set_header    X-Forwarded-Host    $host;
proxy_set_header    X-Forwarded-Port    $server_port;

the nextcloud.conf

upstream nextcloud {
        server nextcloud:80;

server {
  listen        443 ssl;

  location / {
        proxy_pass http://nextcloud;

if you comment this out one pair of header disappears?

This did fix it, I will need to adjust I guess how my headers are set. See if I can only add the ones to the other micro-services. It’s strange that these other ones never get an issue about double headers.

Thank you. I apologize for using this as a rubber ducky.

Apparently, you have to declare headers Nextcloud is missing outside of it but you cannot undeclare headers Nextcloud is trying to do itself.

Just a heads up.

did you look at to replace your nginx reverse proxy?

used here or here

1 Like

just for my understanding, you doing this against what folders?

may this helps:

all folders. brute force.
(and yes that sounds senseless if you can narrow down the location of the config. -> /etc + /var/www. But here are people using snap or having **** ideas where to put things.)