HTTP headers X- warning

hibner · May 2, 2017, 6:43pm

Nextcloud version: 11.0.3
Operating system and version: CentOS Linux release 7.3.1611
nginx version: 1.12.0
PHP version: 7.1.4 (php-fpm)

The issue you are facing:
Nextcloud is complaining about security things but they’re already configured.

Error occurred while checking server setup

The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

/etc/nginx/sites-enabled/nextcloud.domain.tld:

server {
add_header Strict-Transport-Security “max-age=31557600; includeSubDomains”;
add_header X-Content-Type-Options “nosniff” always;
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
}

tflidd · May 6, 2017, 9:27am

Did you check with curl -vvvv https://yoururl if the header is really sent? If not, are you sure the add_header lines are in the right vhost?

jmarcet · May 30, 2017, 10:11am

Hi,

I’m having the same issue. I’m using Nextcloud 12.0.0 on Ubuntu 16.0.4 and I see the following warnings in the admin section:

The “X-XSS-Protection” HTTP header is not configured to equal to “1; mode=block”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Robots-Tag” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Download-Options” HTTP header is not configured to equal to “noopen”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Permitted-Cross-Domain-Policies” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.

I have checked with curl and they are all set correctly:

HTTP/1.1 302 Found
Server: nginx
Date: Tue, 30 May 2017 10:01:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: ; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=; path=/; HttpOnly
Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘unsafe-eval’ '***='; style-src ‘self’ ‘unsafe-inline’; frame-src ; img-src * data: blob:; font-src ‘self’ data:; media-src ; connect-src ; object-src ‘none’; base-uri ‘self’;
X-Frame-Options: SAMEORIGIN
Set-Cookie: nc_sameSiteCookielax=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Location: http:///login
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains;
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none

Is this a known issue? What else could be wrong?

aalaesar · May 30, 2017, 10:41am

I also had this issue when I upgraded to NC 12 with Nginx but only for the X-frame-Options message

I had to look back at the example configuration for nextcloud 12 which has changed a little bit since v9 and v10

Finally I removed the “addheader” statement in the nextcloud config file and the error message disappeared
I checked that the curl command still show X-Frame-Options: SAMEORIGIN in the header.

may be you also need to adapt your config.

This could be a parsing error of the tests scripts because X-Frame-Options: SAMEORIGIN appears 3 times in your header.
So maybe the statement is hard coded in Nextcloud now ?

Regards. Aal

jmarcet · May 30, 2017, 12:03pm

Hmm, you are right the header showed up three times.

I have cleaned up my nginx and the nginx sitting in front of it. Everything is all right now. No more warnings in the admin console.

Moreover, I now see one instance of SAMEORIGIN while I nuked it completely from my nginx. thus it seems Nextcloud pushes it on its own now.

Thanks a lot

tflidd · August 21, 2017, 10:27am

A post was split to a new topic: No additonal headers in apache