Security and Setup Warnings

New Install and now two issues

1. Security & setup warnings
I get the following errors

The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and **we recommend adjusting this setting.**
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and **we recommend adjusting this setting**.
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and **we recommend adjusting this setting.**
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and **we recommend adjusting this setting.**
The "X-Download-Options" HTTP header is not configured to equal to "noopen". This is a potential security or privacy risk and **we recommend adjusting this setting.**
The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and **we recommend adjusting this setting.**

Really useful except there are no pointers as to where to adjust these settings
Any pointers?

  1. Unable to upgrade.

Maybe as a result of the above

Logging into browser says I need to upgrade and provides this link.
https://doc.owncloud.org/server/9.1/admin_manual/maintenance/upgrade.html

Version
Nextcloud 10.0 (stable)
I’m also told that … A new version is available: ownCloud 9.1.1

Thanks

The headers are set in the .htaccess file that ships with Nextcloud. If you’re using a different web server such as Nginx, you would need to set the headers in the web server configuration.

This is a known issue. See Notification about an "upgrade" to ownCloud 9.1.1 in Nextcloud 10 stable

Thanks grouchysysadmin

Ok so I have to edit the .htaccess?
Why isn’t the .htaccess in the install configured by default?
I’ve checked and all the alerts are set as indicated.
Hmm weird

Manual upgrade requires command line access from my reading which I don’t have
Any way around this?

Thanks

You should not need to edit the .htaccess file. The default that ships with Nextcloud has the proper settings in it. Is your web hosting running Apache? If so, does it allow setting headers from the .htaccess file?

A manual upgrade can be done by deleting the files through FTP, and then uploading the new Nextcloud version. Then you can run the upgrade script from the browser. I can’t say I recommend it, but it should work. My advice is to find a hosting plan that provides SSH access. Nextcloud is a lot easier to work with if you have access to the occ command.

Just Upgraded to Nextcloud 11.0.1 (stable)
All good and functioning as it should
anon58843897 you said I should not need to edit .htaccess.

The .htaccess in the latest install is …

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
</ifModule>

# section for Apache 2.2 and 2.4
IndexIgnore *

Admin errors continue …

  • The “X-XSS-Protection” HTTP header is not configured to equal to “1; mode=block”. This is a potential security or privacy risk and we recommend adjusting this setting.
  • The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
  • The “X-Robots-Tag” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
  • The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.
  • The “X-Download-Options” HTTP header is not configured to equal to “noopen”. This is a potential security or privacy risk and we recommend adjusting this setting.
  • The “X-Permitted-Cross-Domain-Policies” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.

U need to add this in nginx (nextcloud.conf)
Search install nextcloud with nginx n u will ur problem solved

Error post and can’t remove

earth now you really have me confused.
Just downloaded 11.0.2 and checked as I’ve updated and the errors still persist.
The .htaccess hasn’t changed and neither have the errors.

So earth your comment “U need to add this in nginx (nextcloud.conf)” means add what to the extcloud.conf?
The contents of the config file?
I am still at a loss that the default .htaccess causes all these errors, let alone requiring additional editing.

are you using apache or nginx?
what is the error?
if your error are same as stated in post 5 and if you are using nginx than try to modify your nginx with the ones stated in below mentioned sites

Please compare yout nextcloud conf with the one stated here,
you will get your error solve.

On SiteGround - Apache
Downloaded the latest and nothing is different with the errors since Version 9.

I’m on Siteground too and have the same errors. Did you get the problem fixed?
In the .htaccess file I have the lines that I guess are supposed to set these parameters. Does this mean it is a configuration issue with Siteground?

# Add security and privacy related headers Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" Header set X-Frame-Options "SAMEORIGIN" Header set X-Download-Options "noopen" Header set X-Permitted-Cross-Domain-Policies "none" SetEnv modHeadersAvailable true

Add cache control for static resources

<FilesMatch “.(css|js|svg|gif)$”>
Header set Cache-Control “max-age=15778463”