Security: __Host-Prefix cookie setting?

Anyone know of a doc to explain enabling __Host-Prefix?

My indicates it’s the only step left to do
note: FreeBSD 11.0 p8

Thanks in advance for any ideas on this!!

__Host-Prefix may be something so new that the nextcloud docs are not yet up for it, I only found it mentioned on Github and the nextcloud blog indicates a spec for __Host- prefix other than that it’s really not documented out there…

Security and Nextcloud 9 Jun 14, 2016 mentions same-site cookies


Same Question here. Everything fine, scan gives grade A, only thing is __Host-Prefix ??
Server: Debian Jessie, php 7.0.16, mysql 5.5.54, apache 2.4.10

Same question here. I’m guessing it’s automagically enabled when the environment supports it, but a quick google can’t find anything about which part of my environment is unsupported.

Nextcloud 11.0.2
PHP 5.6.30
Apache 2.4.10
MariaDB 10.0.29
Debian 8.7


same here. Would be nice to know where the problem might be.

Hey there

This one should be applied automatically if the following conditions are met:

Note that this is only a “hardening” but not a security vulnerability per se. So if you don’t manage to have it: It won’t make your data insecure, but having it is an easy small security gain :slight_smile:

Can you check if those conditions are met for you? If yes and the setting isn’t applied this could be a bug or a misconfiguration in your setup. Send me a PM with your domain then please and I can check that :slight_smile:



Hi @LukasReschke

I guess the second point explains it for me. I have

But why doesn’t it work with subfolders and is there a way to enable __Host-Prefix anyway? If I have to get rid of the subfolder, does it mean I have to move
/var/www/nextcloud/ to

or do I have to do something else?

Thanks a lot

1 Like

As per specification :

If a cookie’s name begins with “__Host-”, the cookie MUST be:

  1. Set with a “Secure” attribute
  2. Set from a URI whose “scheme” is considered “secure” by the user
  3. Sent only to the host which set the cookie. That is, a cookie
    named “__Host-cookie1” set from “” MUST NOT
    contain a “Domain” attribute (and will therefore be sent only to”, and not to “”).
  4. Sent to every request for a host. That is, a cookie named
    “__Host-cookie1” MUST contain a “Path” attribute with a value of

As per item 4 this means that we cannot do much here. That said, not having this security hardening doesn’t put you at risk. But it is something that you can consider for a future deployment.

If you really want to have an A+ rating here the easiest way would be to change the DocumentRoot in the apache configuration. However, all your connected clients would need to be reconnected and sharing links would stop working.


Thanks. So, I will not get an A+ due to having it installed in a subdir (which I consider perfectly fine) ;-/

Since this will hit many users, you should link to this thread or some other FAQ in the scan results.


@LukasReschke so the rating considers a nextcloud installtion more secure, if it runs directly in the root of a webserver where the crawlers find it, instead of running it in a “hidden” subdirectory?


Re-reading what @LukasReschke wrote and re-checking my configuration, I’m coming to think that the issue is not the folder in which we placed our nextcloud installation but rather the subdomain.
I just realized that although having NC installed in

it reads

So I guess it meets the criteria for path="/".
However he also mentions that there can’t be a sub-domain. And maybe someone can help with that, because I’m pretty new to web servers and cloud and stuff:
How can I achieve not having NC under a sub-domain?

I rent a domain at and while I don’t have a static IP address I think I had to create a sub-domain and enter the My-Fritz URL (like as CNAME.
As said, being a newbie, what can I do different to get the A+?

Every advise and detailed explanation by the experienced users is very welcome and really appreciated.

Hm, even the hardening guide ( advised:

Use a dedicated domain for Nextcloud

Administrators are encouraged to install Nextcloud on a dedicated domain such as cloud.domain.tld instead of domain.tld to gain all the benefits offered by the Same-Origin-Policy.


:point_up_2: this

1 Like

This is a bogus security suggestion. Always link a cloud to another subdirectory where search engines do not pry! I give the nextcoud security checker an A- for suggesting it is more secure to host the cloud on the root of a published DNS entry!


this is a less secure decision not a more secure one…&position=limited

Another method reveals

Subdomain IP address Netname (whois) Country (whois) HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE HOS-2580 DE ? ?

Just thought I would add my A+ rating solution here in case others have a similar setup to myself. I found this thread when I used the Nextcloud scanner and achieved an ‘A’ rating, good, but no cigar! I was presented with the __Host-Prefix issue and the fact that the scanner detected my installation was in a sub-folder (/owncloud), which it wasn’t, it was being served from In addition I was running NC 11.0.1.

I did much searching around without much success for the __Host-Prefix issue solution. In the end it was simple. Upgrading to 11.0.2 fixed the __Host-Prefix issue.

As for the NC installation in a sub-folder. I had migrated from OC9 to NC. After some searching around in my apache config I discovered I had a legacy owncloud.conf file in /etc/apache2/conf-available/. This in turn contained a directory alias for a /owncloud /var/my/OC-NC-installation. As this was not in use, I simply removed the alias from the owncloud.conf file (I’m confident this conf file can be removed safely in the long-term for most migrated installations (just rename it to something else like owncloud.conf.[date])).

Re-ran the NC scanner…A+ rating.

I hope this helps someone else who has a similar setup.

Those looking to get an overall measure of how their server security is stacking up might want to also use:


1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.