Nextcloud 16 Security Scan: __Host-Prefix

Faceplant · June 23, 2019, 6:53pm

Hello,

I just installed Nextcloud 16.0.1.1 and everything works fine. No error messages. I then ran a security scan at https://scan.nextcloud.com and 1 problem popped up. __Host-Prefix has a red “x” beside it and says “The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.”

My url is https://nextcloud.domain.com
Nextcloud is stored in /var/www/nextcloud
I’m running LAMP (Ubuntu 18.04) fully up-to-date

I’ve looked this up on Google and tried numerous fixes but none of them work, plus they are all for older versions of Nextcloud. Anyone know how to get __Host-Prefix to pass on the nextcloud security scan?

I’ve tried …

Header always set Referrer-Policy “no-referrer”
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
Remove alias from Apache config.

…but those don’t make a difference.

Thanks

gas85 · June 24, 2019, 12:56pm

Check in this tread: Nextcloud webroot and data directory - best practices on Ubuntu 18.04 LTS

Faceplant · June 24, 2019, 3:27pm

You’ve linked me to a post telling me to remove alias from my Apache configuration yet I stated in my original post that I had already tried that. I tried it again but again I got the same error message from the scan.

gas85 · June 25, 2019, 6:47am

My issue was that additional to Alias I have had conf for the nextcloud folder as separate file (nextcloud.conf), that I have to remove. That was no aliases in my VirtualHost configuration:

Nextcloud webroot and data directory - best practices on Ubuntu 18.04 LTS

If you have config for nextcloud directory only, you have to disable it and configure as virtual host. E.g.:

# cat /etc/apache2/sites-enabled/nextcloud.conf
Alias /nextcloud /var/www/nextcloud/
Alias /javascript /usr/share/javascript/

<Directory /var/www/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>
 
 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud

</Directory>

If it does not work, could you please provide you Apache2 configuration here?

Faceplant · June 25, 2019, 4:34pm

There is no nextcloud.conf file on my server. Here is my Apache2 configuration:

<VirtualHost nextcloud.domain.com:443>

     ServerAdmin user@domain.com
     DocumentRoot /var/www/nextcloud
     ServerName nextcloud.domain.com
    
     <Directory /var/www/nextcloud>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
          <IfModule mod_dav.c>
            Dav off
          </IfModule>
        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

gas85 · June 26, 2019, 7:10am

Actually looks good. Where did you managed HTTPS, in ssl.conf?
In compare to your config I have following lines at the end right before </VirtualHost>

	Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
	Header always set Referrer-Policy no-referrer

P.S. Here I found one note: Security: __Host-Prefix cookie setting? - #7 by LukasReschke

Sent only to the host which set the cookie. That is, a cookie
named “__Host-cookie1” set from “https://example.com” MUST NOT
contain a “Domain” attribute (and will therefore be sent only to
“example.com”, and not to “subdomain.example.com”).

Should be relevant for your case as soon as you are using nextcloud.domain.com

Faceplant · July 9, 2019, 3:58am

Thanks for your help. Unfortunately nothing works.