Https:// seems not detecting X-Xss-Protection when report parameter is present


My nexcloud instance provides the following cookie:

X-Xss-Protection "1; mode=block; report="

When I scan it with, it says this header is missing.

I suppose there’s some problem with the report parameter.

Hi !

I used to have the same behaviour both in Nextcloud 18 and
But headers were there… but twice !!

$ curl -I https://mysite
HTTP/2 302
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block

Twice because once in nginx server conf, and one in .htaccess in my docker image…

I also untimely solved it when I harden my SSL parameter using this conf :slight_smile: :
(no link)

ssl_session_timeout 1d;
ssl_session_cache shared:MySSL:10m;
ssl_session_tickets off;
ssl_dhparam /path/to/dh4096.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security “max-age=63072000” always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

Now the message has disappeared… :crazy_face:
I’ve got only notice about /oc(m|s)-provider/"