I have an installation of NextCloud v18.0.3 on a shared host, and am having trouble with double headers.
Specifcally all of these are doubled up:
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
I see that I’m not the first person to come across this, but haven’t yet been able to find a full or proper solution.
What I have found is that:
-
If I follow the suggestion at Nextcloud 17 false warnings to change the lines in .htaccess to 'Header setifempty ', this does nothing.
-
If I comment out the relevant lines in .htaccess, I only get a duplicate of nosniff.
-
The file /lib/private/legacy/response.php also contains similar header lines, but commenting these out makes no difference (at least not in v18.0.3)
-
Disabling Nginx Security Headers Does fix the problem (according to the Nextcloud Settings page), provided the lines in .htaccess remain commented out.
I’ve no idea what the other implications are of disabling Nginx security? Though I gather that it’s possible to add a nginx.config file, which may be the solution, if I knew what to put in it?
My webhost suggested that I try using headers-more-nginx-module to overwrite the existing header, but, despite having looked at the documentation, I’m not sure how or where?
Update
Having disabled and re-enabled Nginx security (without changing any settings), Security & setup warnings no longer list any problems. How did turning-it-off-and-back-on-again work?
…however NextColud Security Scan still reports a problem with X-Content-Type-Options…
Installation details:
Nextcloud version : 18.0.3
Operating system and version : Linux, version unknown
Apache or nginx version : Apache 2.4.41
Nginx version : unknown
PHP version : 7.3