Https:// 403 (Forbidden)


I have a new probleme since my upgrade to nextcloud 11 since nextcloud 10: 403 (Forbidden)

Anybody can help me to this problem ?

You are not supposed to open this file via your browser, a proper configuration would create such an error. What is your problem?

Thanks for your answer, i don’t want open this file with my browser.
But when i want activate one app in application tab; i can’t activate any application with my good password (I can login to nextcloud with this password)
I think the .ocdata cause this error because on google develloper tool i seen this error: 403 (Forbidden)

I don’t understand why since this update i have this error… What could i find in .ocdata file ? Same thing than .htaccess ? What is the utility of this file ?

Thanks again,

There were some people reporting that the password on the app-page was not accepted. Check the bug tracker, if there is a matching report and open a new one if you can’t find anything yet.

Thanks tflidd,

I have found the answer here:".ocdata"_in_its_root

chown www-data:www-data .ocdata
chmod 666 .ocdata

You should not allow everybody to write this file. chmod 640 or 644 should be enough permissions.

I guess you mean “You should not allow everybody to write this file.” - I do not want to be nit picking, but I was pretty confused by this thread.

@ludovicis did you read carefully ? Your linked page says:

Things which didn’t work:

chown www-data:www-data .ocdata
chmod 666 .ocdata
Creating the file at every parent folder in the path.

btw, I had the same issue with v12

I know that post is old…
But i was wondering about the same message in my Chromium devtool.
So i was looking around in the code of NC.
And found that…

checkDataProtected: function() {
        var deferred = $.Deferred();
        if (oc_dataURL === false) {
            return deferred.resolve([]);
        var afterCall = function(xhr) {
            var messages = [];
            // .ocdata is an empty file in the data directory - if this is readable then the data dir is not protected
            if (xhr.status === 200 && xhr.responseText === '') {
                    msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),
                    type: OC.SetupChecks.MESSAGE_TYPE_ERROR

            type: 'GET',
            url: OC.linkTo('', oc_dataURL + '/.ocdata?t=' + (new Date()).getTime()),
            complete: afterCall,
            allowAuthErrors: true
        return deferred.promise();

I agree with Vertux, you should not allow everybody to write this file.
The 403 Forbidden is wanted!