Mozilla's http observatory report with AIO

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, , ,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Using latest AIO 11.10.0 (nexctloud 31.0.9.1) with the caddy extension, no cloudflare or alike

Summary of the issue you are facing:

When applying the mozilla http observatory report on my nextcloud instance I get a D rating.

Steps to replicate it (hint: details matter!):

  1. Go to HTTP Header Security Test - HTTP Observatory | MDN

  2. Scan your nextcloud AIO instance

  3. Check the result

Do I have to worry or are these security claims irrelevant?

grafik
grafik574Ă—618 44.3 KB

2

Hmm, for what it’s worth, I just scanned my AIO instance (which is web-facing and doesn’t use caddy) and received an A+ rating. I’m using NextCloud 32 and added https:// before my domain when starting the scan–perhaps that made a difference?

Update: I got an A+ when putting http:// before my site as well.

3

Thanks for the feedback. AIO instance or the “normal" Nextcloud installation?

4

AIO. My apologies–I meant to mention this in my initial message but forgot to do so.

5

Hm, since I did not change anything, the only difference is the use of the caddy community container. Yet why should that make the assessment worse?

@szaimen could you please help me understand what I am doing wrong?

6

Tried without the caddy community extension and I get a A+. So according to the test the proxy decreases security.

grafik
grafik570Ă—743 56.8 KB

7

Given the lack of any cookies or CSP headers (among others) in your original test results, seems something was definitely wrong. Are you sure it wasn’t hitting some old IP or something? Maybe show the Raw Server Headers tab - it may offer some clues.

8

I can reproduce it by enabling/disabling the caddy community extension. Thus an old IP cannot be the reason.