HTTP Headers Warning

Hello, I installed Nextcloud successfully a few weeks ago and the Overview page wasn’t showing any errors. To my surprise now it’s saying the following;

Some headers are not set correctly on your instance - The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The `X-Frame-Options` HTTP header is not set to `sameorigin`. Some features might not work correctly, as it is recommended to adjust this setting accordingly. - The `X-Permitted-Cross-Domain-Policies` HTTP header is not set to `none`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. For more details see the documentation ↗.

I’m not sure how to fix this in Nextcloud itself but running the command

curl -I https://cloud.domain.tld

in a cmd prompt on Windows gave me the following results;

X-Content-Type-Options: nosniff                                                                                         X-Download-Options: noopen                                                                                              X-Frame-Options: SAMEORIGIN                                                                                             X-Permitted-Cross-Domain-Policies: none                                                                                 X-Robots-Tag: noindex, nofollow                                                                                         X-Xss-Protection: 1; mode=block

Which is contradictory to the error I’m receiving.

Might be of interest that I’m using Traefik as a reverse proxy and that I’m exposing Nextcloud with Cloudflare tunnels.

Thank you for helping out, I’m kinda lost now.

I think is something recent.

4 hours ago, i turned off the server to upgrade ram and now its saying that the X-headers are missconfigured, and if i check the security of the server it says its okay. this is really Odd.

Using Nextcloud 29.0.1
Inside docker
inside ubuntu

Apache and php are well configured, in red the only changes that i did

mods enabled

ls /etc/apache2/mods-enabled/
access_compat.load  authn_core.load  authz_user.load  deflate.load  filter.load   mpm_prefork.conf  php.load         rewrite.load   status.load
alias.conf          authn_file.load  autoindex.conf   dir.conf      headers.load  mpm_prefork.load  remoteip.load    setenvif.conf
alias.load          authz_core.load  autoindex.load   dir.load      mime.conf     negotiation.conf  reqtimeout.conf  setenvif.load
auth_basic.load     authz_host.load  deflate.conf     env.load      mime.load     negotiation.load  reqtimeout.load  status.conf

can somebody help us?

I see this error on only one of two identical nc29 docker installations - one shows no warning the other one does!
no issue with production instance running NC28.0.6

both instances run identical traefik labels

      - traefik.enable=true
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=web-secure
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.priority=1             # for notify_push
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=Host(`${DOMAIN}`) # Nextcloud public FQDN
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls=true
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencryptresolver
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=secHeaders3@file,nextcloud-redirect@file
      - traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=80
      - traefik.enable=true
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}_notify_push.entryPoints=web-secure
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}_notify_push.priority=2
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}_notify_push.middlewares=nextcloud_strip_push
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}_notify_push.tls.certresolver=letsencryptresolver
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}_notify_push.rule=Host(`${DOMAIN}`) && PathPrefix(`/push`)
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}_notify_push.middlewares=nextcloud_striprefix_push@file
      - traefik.http.services.${COMPOSE_PROJECT_NAME}_notify_push.loadbalancer.server.port=7867
$ docker exec -ti test-nc-app-1 curl -I https://test-nc.mydomain.tld/status.php
..
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

$ docker exec -ti dev-nc-app-1 curl -I https://dev-nc.mydomain.tld/status.php
..
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

the only difference might be somewhere in the DB or config.php - DEV instance has longer history and might have some broken settings from the past…

Maybe no good solution so far - sounds like a bug and requires Github report…

I found my issue - the problem is related to SSO activated in the instance where the orror occurs. If SSO is active unauthenticated requests are forwarded to an IdP. for details in this GH issues

The problem was adressed from 29.0.4: fix(settings): define a 'heartbeat' route, so SecurityHeaders can handle redirected root by smokris · Pull Request #45228 · nextcloud/server · GitHub

1 Like

Thank you for finding these Github issues. I’m in fact using SSO and NC on docker. I believe I don’t have anything to do but wait for a fix?

3 posts were split to a new topic: Copy&Paste issue with CODE (maybe related to http headers)

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.