Hello everybody and congratulation for NC 17, my update ran smooth thought I am recieving annoying Warnings, which claims my Headers are not set.
Of course they are set. My Apache config is shown next to the warnings:
How to get rid of this?
Hi,
From which NC version did you upgrade to NC17? I’m not 100% sure in which version it started, but it may have been NC16.0.4 where Devs moved the header configuration to the .htaccess files.
Anyways: these warnings came up for users before when the headers were set in both, .htaccess and the apache virtual host configuration.
If possible, can you try to comment out the header definition (the ones clamed are not set) in the virtual host config and restart apache?
2 Likes
Hey Schmu, thank you, you pointed me in the right direction.
Indeed both the .htaccess and my Apache Config had the Headers enabled. I have now commented the Headers in question out of the .htaccess file. From my point of view an .htaccess file is the wrong place for such important security relevant stuff. This belongs to the protected server config file. htaccess are so 1990ies…
Regarding to the Warnings there is a golden rule in software development: Never warn about something you do not measure. This warnings are annoying and useless not representing the real world.
Hi!
Thanks a lot! That helped to remove 2 of 3 warnings after upgrading to NC17 (‘X-Content-Type-Options’ and ‘X-Permitted-Cross-Domain-Policies’). Unfortunately I still have the nosniff-warning.
I already commented in this line in the .htaccess file (root directory of NC). Any idea, how to find the cause?
I think Nextcloud automatically sets some of these settings in the .htaccess file now, which most likely collide with general settings in your web server configuration. I would recommend not to modify the .htaccess file, because it will eventually been overwritten next time, but to change the settings in the web server configuration.
2 Likes
@mabrau
As j-ed wrote, you should check the web server config and check if there is an entry for “X-Content-Type-Options” in your apache (virtual host) config somewhere. If so, comment that line and restart the web server. If this didn’t solve the problem, please report back with your web server config and we will check.
1 Like
There may be reasons to have the setting different in the global web server config. I could solve the problem by changing the line in .htaccess to:
Header setifempty X-Content-Type-Options "nosniff"
It works whether the option is set in the apache config or not.
2 Likes
Absolutely correct and I won’t argue with that 
And I’m not sure myself about the implementation of headers in the .htaccess.
I do see the advantage, that Nextcloud provides by default a well-configured web application for users who are not on an expert level and know how to configure a web server securely. But on the other hand it causes issues for the other users who do.
This sounds a like a good solution to me and should probably be posted as Enhancement Request on Github. This could avoid these issues then. What do you think?
1 Like
There is already a github issue where I made this proposal.
Feel free to support it.
3 Likes
Thanks a lot! That’s a good solution or workaround until NC handles these settings correctly.
By the way, I had to edit the following files to finally remove all warnings! 
:
/var/www/NC/.htaccess
/etc/apache2/apache2.conf
/etc/apache2/conf-enabled/security.conf
/etc/apache2/sites-enabled/000-default-le-ssl.conf
Yes, I also had this done on the serverlevel for the whole domain and subdomains as a basic security measurement
.
But .htaccess change to:
# Add security and privacy related headers
Header setifempty Referrer-Policy “no-referrer”
Header setifempty X-Content-Type-Options “nosniff”
Header setifempty X-Download-Options “noopen”
Header always set X-Frame-Options “SAMEORIGIN”
Header setifempty X-Permitted-Cross-Domain-Policies “none”
Header always set X-Robots-Tag “none”
Header always set X-XSS-Protection “1; mode=block”
SetEnv modHeadersAvailable true
works fine !
And the only thing that is left, is that this has to be done again after each update. The same with the .user.ini in what file I set the memory limit to 512.
Same problem still exists in Nextcloud 18