Nextcloud + Swag :

Nextcloud version 28.0.2
Operating system and version Linux 6.5.11-8-pve x86_64

Version : 8.2.7

Hi,
I have Nextcloud on a Virtual Machine and it works quite well. I just have 2 problems in the security part that I cannot resolve, although I have read a lot of things on the web to help me, I am still stuck with:
The "X-Robots-Tag" HTTP header is not configured to equal "noindex, nofollow". This is a potential security and privacy risk as it is recommended to adjust this setting.
The HTTP header "X-Permitted-Cross-Domain-Policies" is not configured to be equal to "none". This is a potential security and privacy risk as it is recommended to adjust this setting.

I configured SWAG (in docker) like this and I don’t understand why the X-Robots-Tag and X-Permitted-Cross-Domain-Policies are not taken into account.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

   # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-we>
    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "noindex, nofollow"   always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;


    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.110;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        # Hide proxy response headers from Nextcloud that conflict with ssl.conf
        # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
        proxy_hide_header Referrer-Policy;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header X-XSS-Protection;


        # Disable proxy buffering
        proxy_buffering off;
    }
}

When I search to browse my www/html/.htacess I have the same element :

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "noindex, nofollow"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

Does anyone have an idea of my problem?

Don’t know very well. Maybe take a look at the file I mentioned here:

Edit: 10 february… I hope you solved it your own. And welcome here.