Entering the Admin settings, I get multiple lines that indicate missing X-ā¦ lines. Even when using the nextcloud security check I get wrong results.
And on others clouds even the results from the nextcloud check and other checks differ.
The strange thing is that those lines that are discovered by other checks as SSL Labs and https://tools.geekflare.com/report/x-frame-options-test give no error warnings.
Iāve setup Nextcloud in various configurations. One config is on a subdomain only with other IPv4 and IPv6 addresses. Entering the requested code in .htaccess or the config.php in Nextcloud does not work. I used:
Header always add Strict-Transport-Security āmax-age=31536000; includeSubDomains; preloadā
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set X-Content-Type-Options ānosniffā
Header set X-XSS-Protection ā1; mode=blockā
Header set X-Download-Options ānoopenā
Header set X-Permitted-Cross-Domain-Policies ānoneā
Header set Referrer-Policy āstrict-originā
SetEnv modHeadersAvailable true
Header always set X-Frame-Options āSAMEORIGINā
Header always set Content-Security-Policy ādefault-src https: data: āunsafe-inlineā āunsafe-evalāā
And this should normaly be working, as far as iāve experienced so far.
If you check here and on the bugtracker for the homepage (Issues Ā· nextcloud/nextcloud.com Ā· GitHub), you will see that there are a few issues with this scanner that are way more basic that they need to be fixed first.
Iād rather suggest to put a link to the ssl and x-frame-options scanner on scan.nextcloud.com (feel free to submit a bug report for that).
The admin settings do not see the server configuration, for such things it is better to run a scan with an external scanner. Even in the admin menu, it could perhaps a bit clearer and link to documentation where we could link such scan-services. If you want to suggest improvements for the admin-page, this goes into the server repository (Issues Ā· nextcloud/server Ā· GitHub).
In the table you posted it looks like all headers except x-frame-options contain the value twice. You could verify this using the browser console. The scanner does not appear to be broken in general, as it does not report any issues for me.
The actual problem is that NC does not check if settings exist.
We put the security settings on the domain level for all our customers in DirectAdmin, httpd settings.Since multiple clients are on the same IPv4 and IPv6 addresses, we do not them to weaken security.
The sollution is simple but still not implemented by NC.
In htacces they should use āifsetā and not āsetā. By this there will be no doubling and thus the certancy that it works. That is not the case with the default htacces that NC writes.