I wanted to say this has been going on for a while and is extrememly annoying.
I am trying to set up Nextcloud behind a Nginx reverse proxy (Homebrewed not nginx-proxy).
I put all my headers in the Nginx instance as a good practice. Unfortunately then Nextcloud spits out 2 headers for
The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
So they are set - however I would like these to go away, is there any way to have nextcloud stop sending these headers?
Is it insecure to have 2 sets of headers?
As you can see in my previous post with the image.
I am receiving two sets of headers. One from my reverse proxy setting them and then one from my NextCloud instance. Is there a way to prevent Nextcloud from sending them because .htaccess doesn’t seem to work in the apache image.
However, if I can’t I will just ignore them I just don’t want it to be an issue if there is some flaw due to there being two headers.
Nginx.conf (The main config) the common*.conf (s) add http headers
error_log /var/run/nginx/error_log.log warn;
This did fix it, I will need to adjust I guess how my headers are set. See if I can only add the ones to the other micro-services. It’s strange that these other ones never get an issue about double headers.
Thank you. I apologize for using this as a rubber ducky.
all folders. brute force.
(and yes that sounds senseless if you can narrow down the location of the config. -> /etc + /var/www. But here are people using snap or having **** ideas where to put things.)