Nextcloud System Check reports wrong warnings

Nextcloud version: 24.0.0
Operating system and version: Debian 11
Apache or nginx version: Nginx 1.21.6
PHP version: PHP 7.4

Every time I view the Settings Overview page and get the list of Security and Setup Warnings, it does not report back the correct security headers.

Screenshot of the warnings:
Imgur

Screenshot of chrome developer mode, listing the headers are present
Imgur

Clearly, the headers are present. Why can’t nextcloud see that they are?

Has no one ever encountered this?

Verify that this line is in your nginx configuration:
avoid sending the security headers twice

Line is definitely in there, it is under the php location block, just as in that doc page.

    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

Double checking the running config:

# nginx -T | grep modHeadersAvailable
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice

External tests are better. Internal can be different, if you use proxies, your host can resolve to localhost and then your might end up in a different vhost, …

Perhaps if you check manually with curl, you manage to find the reason for that.

Ah found it.

On my reverse proxy, I had duplicated headers being applied in the host configuration and my ssl-params.conf.
I suppose nextcloud security check cant handle duplicate headers.

It is now fixed and the security checkup is clear!

1 Like