NC10 - Reset password form action not SSL


the password-reset-form for our users is not working because the action of the form refers to http://… instead of https://… although calling the page with https.

Firefox console states: “Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.”

Does anyone now why?

Nextcloud version: 10.0.1
Operating system and version: SLES 11 SP4
Apache or nginx version: Apache 2.2.12
PHP version: 2.2.12

Can you reliably replicate it? (If so, please outline steps): Yes. Just try to reset your password

The issue you are facing: reset-password-form is not submitted

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
$CONFIG = array (
‘instanceid’ => ‘…’,
‘passwordsalt’ => ‘…’,
‘secret’ => ‘…’,
‘trusted_domains’ =>
array (
0 => ‘’,
1 => ‘’,
2 => ‘’,
3 => ‘’,
‘datadirectory’ => ‘/data/nextcloud/’,
‘overwrite.cli.url’ => ‘’,
‘logtimezone’ => ‘UTC’,
‘installed’ => true,
‘mail_smtpmode’ => ‘smtp’,
‘mail_smtphost’ => ‘localhost’,
‘mail_smtpport’ => ‘25’,
‘mail_from_address’ => ‘noreply’,
‘mail_domain’ => ‘’,
‘memcache.local’ => ‘\OC\Memcache\APCu’,
‘default_language’ => ‘de_DE’,
‘theme’ => ‘example’,
‘maintenance’ => false,
‘loglevel’ => 2,


Is this for an external authentication plugin (LDAP)? Or the main NC password reset?

Please retest with a current NC 10 version, the issue could have been fixed already:

The main NC password reset.

I had a look at it on two different NC 11 installations. Everythings fine. But the networking is quite different there (no ssl-offloading).

And my problem is, I can’t update to the latest NC10 as fast as I would like to. So I had hoped, that anyone has an idea what to do else or where to look at the code to find out more about it.

After an update to 11.0.2 still the same behavior. Passwort-reset-form points to HTTP instead of HTTPS.

Firefoxs developer console states: "09:16:41.000 Content Security Policy: The page’s settings blocked the loading of a resource at http://cloud…/index.php/lostpassword/set/F7r0T31tOxOj6BjDWuxX7/test (“connect-src https://cloud…”). 1 (unknown)

May it be, that this has something to do with our SSL-offloading? Nextclouds Apache is configured only on port 80. SSL offloading is done by our Netscaler.

Some more details: Calling Nextcloud with https to reset the password results in an email with the reset-instructions as expected. But the link to the password-reset in the email is HTTP://…
Change the email-template (“replace http: with https:”) and now the received link is ok. But still the same error when calling this link an changing the password.

Found the - obvious - solution: 'overwriteprotocol' => 'https'

Thanks for reading and trying to help!

1 Like