Nextcloud 16 Security Scan: __Host-Prefix


I just installed Nextcloud and everything works fine. No error messages. I then ran a security scan at and 1 problem popped up. __Host-Prefix has a red “x” beside it and says “The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.”

My url is
Nextcloud is stored in /var/www/nextcloud
I’m running LAMP (Ubuntu 18.04) fully up-to-date

I’ve looked this up on Google and tried numerous fixes but none of them work, plus they are all for older versions of Nextcloud. Anyone know how to get __Host-Prefix to pass on the nextcloud security scan?

I’ve tried …

  1. Header always set Referrer-Policy “no-referrer”
  2. Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
  3. Remove alias from Apache config.

…but those don’t make a difference.


Check in this tread: Nextcloud webroot and data directory - best practices on Ubuntu 18.04 LTS

You’ve linked me to a post telling me to remove alias from my Apache configuration yet I stated in my original post that I had already tried that. I tried it again but again I got the same error message from the scan.

My issue was that additional to Alias I have had conf for the nextcloud folder as separate file (nextcloud.conf), that I have to remove. That was no aliases in my VirtualHost configuration:

If it does not work, could you please provide you Apache2 configuration here?

There is no nextcloud.conf file on my server. Here is my Apache2 configuration:


     DocumentRoot /var/www/nextcloud
     <Directory /var/www/nextcloud>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
          <IfModule mod_dav.c>
            Dav off
        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined


Actually looks good. Where did you managed HTTPS, in ssl.conf?
In compare to your config I have following lines at the end right before </VirtualHost>

	Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
	Header always set Referrer-Policy no-referrer

P.S. Here I found one note: Security: __Host-Prefix cookie setting?

Sent only to the host which set the cookie. That is, a cookie
named “__Host-cookie1” set from “” MUST NOT
contain a “Domain” attribute (and will therefore be sent only to”, and not to “”).

Should be relevant for your case as soon as you are using

Thanks for your help. Unfortunately nothing works.

1 Like