Nextcloud Security Scan vs. securityheaders.io

Tassilo · March 27, 2018, 12:33pm

Nextcloud version 13.0.1.1
Operating system and version Ubuntu 16.04 LTS
Apache 2.4.25
PHP version 7

Hello,

I installed nextcloud in an own vhost on my ubuntu server. Now I have the problem, that scan.nextcloud.com says, all ok and i got A+. But if I check this on securityheaders.io or httpsecurityreport.com they say, there are no security headers. I see them in the browser, and it looks ok.
If i set them in the security.conf with “setifempty”, securityheaders.io says everything ok but scan.nextcloud says “oh oh, problems!” and the browser shows the setting like this:

X-Content-Type-Options: nosniff, nosniff
X-Frame-Options: SAMEORIGIN, sameorigin

It’s annoying and I couldn’t find out where the mistake is. Anyone an idea why it is like that?

Schmu · March 28, 2018, 7:03am

Hi,

Could you please post the full test result? Maybe as a screenshot where you paint over the sensitive information like your domain name.

Some issues occur when headers are defined multiple times but in some configurations with apache the header settings seems necessary in the web server config and in the .htaccess as I read in another issue (don’t use apache myself).
So I’d like to see the results to get some insides what these test really complain about.