I was looking to write a blog article on using scan.nextcloud.com and how to patch Nextcloud. However, there are a few issues.
I got an A at first with “X Not on latest patch level” and “X _Host Prefix”. However, after patching, I got the same mark because I didn’t enable _Host-Prefix after reading this post. It seems there is minimal benefit and perhaps some risk too from the need to move Nextcloud to the web root index.
Also, in writing the article I re-completed the steps on a “QA” instance I created. But couldn’t get new results after updating and running through the scan - is there server-side caching?
So my suggestions:
Have some kind of bump in mark from patching (for example “A-” or “B+” to “A” in the above case)
Provide more explanation on _Host-Prefix or even get rid of it?
There is no test for HTTPS strict transport security which is suggested in the documents. Should this be added?
To help you with the _Host-Prefix, the following thread might help you. Please read from the linked post onward as there is some further explanation down below:
This solved the problem for me and others to get an A+.
So referring to your statement
It seems there is minimal benefit and perhaps some risk too from the need to move Nextcloud to the web root index.
As you can see in the link above, moving your installation to root is not necessary.
Yes removing the alias works. However, this is still the virtual host root so if you agree with some of the posters in the original thread then it is still a security vulnerability (with regards to search engines). However, is that really a security vulnerability or just security through obscurity? I don’t really know. Also this conflicts with the documentation with an example apache configuration.
So the documentation should change or the scanning tool… but it’s not clear what one based on the information available. I’d really like LukasReschke the security lead to provide some more input.
I totally agree. I mean it’s not a security vulnerability, so therefore is not too important, but following the admin manual installation and security hardening guide should lead to an A+ in the scan. Also all points mentioned in the scan should be mentioned/considered in the manual too. About the _Host-Prefix, as it is still controversial, maybe the two alternatives could be presented. Also the scanner could be included into the security hardening manual as final check to round it up. Now there is just someone necessary to do all the writing . Should be done in advice of LukasReschke of course ;).
. Should be done in advice of LukasReschke of course ;).