1. Security & setup warnings
I get the following errors
The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and **we recommend adjusting this setting.**
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and **we recommend adjusting this setting**.
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and **we recommend adjusting this setting.**
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and **we recommend adjusting this setting.**
The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and **we recommend adjusting this setting.**
The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and **we recommend adjusting this setting.**
Really useful except there are no pointers as to where to adjust these settings
Any pointers?
The headers are set in the .htaccess file that ships with Nextcloud. If you’re using a different web server such as Nginx, you would need to set the headers in the web server configuration.
Ok so I have to edit the .htaccess?
Why isn’t the .htaccess in the install configured by default?
I’ve checked and all the alerts are set as indicated.
Hmm weird
Manual upgrade requires command line access from my reading which I don’t have
Any way around this?
You should not need to edit the .htaccess file. The default that ships with Nextcloud has the proper settings in it. Is your web hosting running Apache? If so, does it allow setting headers from the .htaccess file?
A manual upgrade can be done by deleting the files through FTP, and then uploading the new Nextcloud version. Then you can run the upgrade script from the browser. I can’t say I recommend it, but it should work. My advice is to find a hosting plan that provides SSH access. Nextcloud is a lot easier to work with if you have access to the occ command.
Just Upgraded to Nextcloud 11.0.1 (stable)
All good and functioning as it should
anon58843897 you said I should not need to edit .htaccess.
The .htaccess in the latest install is …
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
</ifModule>
# section for Apache 2.2 and 2.4
IndexIgnore *
Admin errors continue …
The “X-XSS-Protection” HTTP header is not configured to equal to “1; mode=block”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Robots-Tag” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Download-Options” HTTP header is not configured to equal to “noopen”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Permitted-Cross-Domain-Policies” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
earth now you really have me confused.
Just downloaded 11.0.2 and checked as I’ve updated and the errors still persist.
The .htaccess hasn’t changed and neither have the errors.
So earth your comment “U need to add this in nginx (nextcloud.conf)” means add what to the extcloud.conf?
The contents of the config file?
I am still at a loss that the default .htaccess causes all these errors, let alone requiring additional editing.
are you using apache or nginx?
what is the error?
if your error are same as stated in post 5 and if you are using nginx than try to modify your nginx with the ones stated in below mentioned sites
Please compare yout nextcloud conf with the one stated here,
you will get your error solve.
I’m on Siteground too and have the same errors. Did you get the problem fixed?
In the .htaccess file I have the lines that I guess are supposed to set these parameters. Does this mean it is a configuration issue with Siteground?
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
SetEnv modHeadersAvailable true
Add cache control for static resources
<FilesMatch “.(css|js|svg|gif)$”>
Header set Cache-Control “max-age=15778463”