Nextcloud config visible when I hit view source on login page

Good morning,

I am a bit concerned that my app configuration is available to a public user in source. At the top of my login page I am getting app variables displaying in source showing anonymous people potentially all my config, versions and apps running in next cloud etc. When I view source I see this sort of stuff:

var oc_debug=false;
var oc_isadmin=false;
var oc_dataURL=false;
var oc_webroot="/sandbox";
var oc_appswebroots={“activity”:"/sandbox/apps/activity",“comments”:"/sandbox/apps/comments",“dav”:"/sandbox/apps/dav", … etc

Is there a way to hide this from NC source? I am guessing I have some config somewhere in my config.php that I can modify to adjust this?

Any advice would be greatly appreciated. I’m running two version of NC. V11 and V12. Same issue on both.


Sorry to hear you’re facing problems :slight_frown:

If you’re urgently looking for support to keep your business running, consider checking out our paid support options.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the following as you can (you can cut and paste this into your topic):

Nextcloud version (eg, 10.0.2):
Operating system and version (eg, Ubuntu 16.04):
Apache or nginx version (eg, Apache 2.4.25):
PHP version (eg, 5.6):
Is this the first time you’ve seen this error?:

Can you reliably replicate it? (If so, please outline steps):

The issue you are facing:

The output of your Nextcloud log in Admin > Logging:

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

The output of your Apache/nginx/system log in /var/log/____:

Remember, this information may be requested if it isn’t supplied; for fastest response please provide as much as you can :heart: Feel free to use a pastebin service, otherwise log files can be indented with 4 spaces on each line to present them in a friendlier way on the forum.

1 Like

Can you show us a screen shot? Are you programming your own app?

Sure this is a screen here shared … It is view source on my login page.
I see some people place a default.php in their theme root directory and set their own app names and URL to documentation for users etc. It just seemed off it was visible to all!

You will see the javascript variables all being listed in the screenshot in black. Maybe it has to be there but seemed odd!

Yes, I am developing an app to handle a water measurements project we have on this coming year.

Ok, I moved it to the app-development section.
@BernhardPosselt @nickvergessen can you help?

Not sure the informations you’re seeing in the source are really an issue. You are only watching at the base config on each app, like their webpath. Other config value are stored in the database and only accessible (by default) by the serverside.

I was thinking as much. Probably not a major issue but I guess sometimes an organisation may not want their exact app preferences visible to anonymous not logged in user. Just a thought. If what I am seeing is normal then I guess it is ok. Thanks.

1 Like

This ^

Looks bad but isn’t really an issue. Automated hacking scripts brute force things (so versions and enabled apps are not really important) and it’s PHP which means stuff lives in your webroot.

Apart from that, its not the config, it’s certain selected variables that are relevant for the frontend.

Thanks mate.
I guess if that is the expected behaviour then there isn’t anything I can do.
Marking this as resolved. Thanks for your time.