I was looking to write a blog article on using scan.nextcloud.com and how to patch Nextcloud. However, there are a few issues.
I got an A at first with “X Not on latest patch level” and “X _Host Prefix”. However, after patching, I got the same mark because I didn’t enable _Host-Prefix after reading this post. It seems there is minimal benefit and perhaps some risk too from the need to move Nextcloud to the web root index.
Also, in writing the article I re-completed the steps on a “QA” instance I created. But couldn’t get new results after updating and running through the scan - is there server-side caching?
So my suggestions:
- Have some kind of bump in mark from patching (for example “A-” or “B+” to “A” in the above case)
- Provide more explanation on _Host-Prefix or even get rid of it?
- There is no test for HTTPS strict transport security which is suggested in the documents. Should this be added?
- Look into the caching issue