Security: __Host-Prefix cookie setting?

#1

Anyone know of a doc to explain enabling __Host-Prefix?

My https://scan.nextcloud.com indicates it’s the only step left to do
note: FreeBSD 11.0 p8

Thanks in advance for any ideas on this!!
OC

__Host-Prefix may be something so new that the nextcloud docs are not yet up for it, I only found it mentioned on Github and the nextcloud blog

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie indicates a spec for __Host- prefix other than that it’s really not documented out there…

Security and Nextcloud 9 Jun 14, 2016 https://statuscode.ch/2016/06/security-and-nextcloud-9/ mentions same-site cookies

3 Likes

Security: "__Host-Prefix", how to fix?
Security Scan: __Host-Prefix
Security: __Host-Prefix cookie setting? & HTTP headers
Scan.nextcloud.com: a few issues
Godaddy subdomain masking not working
Host Prefix Nextcloud 15.0.5.3
#2

Same Question here. Everything fine, scan gives grade A, only thing is __Host-Prefix ??
Server: Debian Jessie, php 7.0.16, mysql 5.5.54, apache 2.4.10

0 Likes

#3

Same question here. I’m guessing it’s automagically enabled when the environment supports it, but a quick google can’t find anything about which part of my environment is unsupported.

Nextcloud 11.0.2
PHP 5.6.30
Apache 2.4.10
MariaDB 10.0.29
Debian 8.7

0 Likes

#4

Hi,

same here. Would be nice to know where the problem might be.

0 Likes

#5

Hey there

This one should be applied automatically if the following conditions are met:

Note that this is only a “hardening” but not a security vulnerability per se. So if you don’t manage to have it: It won’t make your data insecure, but having it is an easy small security gain :slight_smile:

Can you check if those conditions are met for you? If yes and the setting isn’t applied this could be a bug or a misconfiguration in your setup. Send me a PM with your domain then please and I can check that :slight_smile:

Cheers
Lukas

2 Likes

#6

Hi @LukasReschke

I guess the second point explains it for me. I have
https://mydomain.net/nextcloud
(/var/www/nextcloud/)

But why doesn’t it work with subfolders and is there a way to enable __Host-Prefix anyway? If I have to get rid of the subfolder, does it mean I have to move
/var/www/nextcloud/ to
/var/www/

or do I have to do something else?

Thanks a lot

1 Like

#7

As per specification https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00 :

If a cookie’s name begins with “__Host-”, the cookie MUST be:

  1. Set with a “Secure” attribute
  2. Set from a URI whose “scheme” is considered “secure” by the user
    agent.
  3. Sent only to the host which set the cookie. That is, a cookie
    named “__Host-cookie1” set from “https://example.com” MUST NOT
    contain a “Domain” attribute (and will therefore be sent only to
    "example.com", and not to “subdomain.example.com”).
  4. Sent to every request for a host. That is, a cookie named
    "__Host-cookie1" MUST contain a “Path” attribute with a value of
    "/".

As per item 4 this means that we cannot do much here. That said, not having this security hardening doesn’t put you at risk. But it is something that you can consider for a future deployment.

If you really want to have an A+ rating here the easiest way would be to change the DocumentRoot in the apache configuration. However, all your connected clients would need to be reconnected and sharing links would stop working.

1 Like

#8

Thanks. So, I will not get an A+ due to having it installed in a subdir (which I consider perfectly fine) ;-/

Since this will hit many users, you should link to this thread or some other FAQ in the scan results.

6 Likes

#9

@LukasReschke so the rating considers a nextcloud installtion more secure, if it runs directly in the root of a webserver where the crawlers find it, instead of running it in a “hidden” subdirectory?

1 Like

#10

Re-reading what @LukasReschke wrote and re-checking my configuration, I’m coming to think that the issue is not the folder in which we placed our nextcloud installation but rather the subdomain.
I just realized that although having NC installed in
/var/www/nextcloud/

it reads
https://cloud.mydomain.net/index.php

So I guess it meets the criteria for path="/".
However he also mentions that there can’t be a sub-domain. And maybe someone can help with that, because I’m pretty new to web servers and cloud and stuff:
How can I achieve not having NC under a sub-domain?

I rent a domain at 1und1.de and while I don’t have a static IP address I think I had to create a sub-domain and enter the My-Fritz URL (like dyndns.org) as CNAME.
As said, being a newbie, what can I do different to get the A+?

Every advise and detailed explanation by the experienced users is very welcome and really appreciated.

Hm, even the hardening guide (https://docs.nextcloud.com/server/11/admin_manual/configuration_server/harden_server.html) advised:

Use a dedicated domain for Nextcloud

Administrators are encouraged to install Nextcloud on a dedicated domain such as cloud.domain.tld instead of domain.tld to gain all the benefits offered by the Same-Origin-Policy.

4 Likes

#11

:point_up_2: this

0 Likes

#12

This is a bogus security suggestion. Always link a cloud to another subdirectory where search engines do not pry! I give the nextcoud security checker an A- for suggesting it is more secure to host the cloud on the root of a published DNS entry!

4 Likes

Security Scan: __Host-Prefix
#13

this is a less secure decision not a more secure one
http://searchdns.netcraft.com/?restriction=site+contains&host=nextcloud.com&lookup=wait…&position=limited

Another method reveals

Subdomain IP address Netname (whois) Country (whois)
lists.nextcloud.com 88.198.160.136 HOS-2580 DE
projects.nextcloud.com 88.198.160.138 HOS-2580 DE
conf.nextcloud.com 88.198.160.138 HOS-2580 DE
updates.nextcloud.com 88.198.160.138 HOS-2580 DE
apps.nextcloud.com 88.198.160.138 HOS-2580 DE
docs.nextcloud.com 88.198.160.138 HOS-2580 DE
download.nextcloud.com 88.198.160.133 HOS-2580 DE
www.nextcloud.com 88.198.160.129 HOS-2580 DE
logs.nextcloud.com 88.198.160.138 HOS-2580 DE
stats.nextcloud.com 88.198.160.129 HOS-2580 DE
scan.nextcloud.com 88.198.160.138 HOS-2580 DE
support.nextcloud.com 88.198.160.138 HOS-2580 DE
mx.nextcloud.com 88.198.160.131 HOS-2580 DE
demo.nextcloud.com 91.103.114.57 ? ?

0 Likes

#14

Just thought I would add my A+ rating solution here in case others have a similar setup to myself. I found this thread when I used the Nextcloud scanner and achieved an ‘A’ rating, good, but no cigar! I was presented with the __Host-Prefix issue and the fact that the scanner detected my installation was in a sub-folder (/owncloud), which it wasn’t, it was being served from https://mynonwww.domain.co.uk. In addition I was running NC 11.0.1.

I did much searching around without much success for the __Host-Prefix issue solution. In the end it was simple. Upgrading to 11.0.2 fixed the __Host-Prefix issue.

As for the NC installation in a sub-folder. I had migrated from OC9 to NC. After some searching around in my apache config I discovered I had a legacy owncloud.conf file in /etc/apache2/conf-available/. This in turn contained a directory alias for a /owncloud /var/my/OC-NC-installation. As this was not in use, I simply removed the alias from the owncloud.conf file (I’m confident this conf file can be removed safely in the long-term for most migrated installations (just rename it to something else like owncloud.conf.[date])).

Re-ran the NC scanner…A+ rating.

I hope this helps someone else who has a similar setup.

Those looking to get an overall measure of how their server security is stacking up might want to also use:


and
https://www.ssllabs.com/ssltest/

1 Like

closed #15

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

0 Likes