Some headers are not set correctly on your instance - The X-Robots-Tag HTTP header is not set to noindex,nofollow. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection HTTP header does not contain 1; mode=block. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

These are in the .htaccess file.

https://cloud.robkalmeijer.nl/index.php/settings/admin/overview

The others that are also set in this file are in mine apache config files. These are detected.

I’m just guessing here, but these messages don’t necessarily mean that the headers are actually not set (according to securityheaders.com, they are) and/or not working correctly, but can also mean that the check is simply not detecting them correctly.

This can happen, for example, if Nextcloud can’t resolve it’s own domain name, and/or because of missing or incorrect ‘override’ parameters in your config.php: Configuration Parameters — Nextcloud latest Administration Manual latest documentation

The only headers it missed are what is in the .htaccess file and not set in the apache server.

This happend after an update from nextcloud.

Well, I’m not sure what exactly has changed after the update or what is causing this, but it is of course possible that something has changed in the checks, or that these exact checks were not present in older versions of Nextcloud.

What I can say for sure is that I do not see these warnings on my instance (30.0.2). Maybe you can describe your setup in more detail and post your Apache configuration and config.php. Otherwise we can only guess what might be causing this.

In the httpd.conf:

Header settings

Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header always set Referrer-Policy “same-origin”
Header always set X-Permitted-Cross-Domain-Policies: none

In vhssl.conf
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains”

In config.php:

<?php $CONFIG = array ( 'passwordsalt' => 'BcOq8l1lKcKYUrnXCBFoGeD7dQDUXP', 'secret' => 'jzOirLK3QSoyReT3iSK9g1WsZxANeX14FfnqZnmrZnTnLrqx', 'trusted_domains' => array ( 0 => 'localhost', 1 => 'cloud.robkalmeijer.nl', 2 => '192.168.1.15', 3 => '[2a02:a465:54ef:1::1:5]', ), 'datadirectory' => '/srv/www/vhosts/cloud.robkalmeijer.nl/httpsdocs/data', 'dbtype' => 'mysql', 'version' => '30.0.2.2', 'overwrite.cli.url' => 'http://localhost', 'dbname' => 'nextcloud', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'nextcloud', 'dbpassword' => 'Nextcloud1', 'default_timezone' => 'Europe/Amsterdam', 'installed' => true, 'instanceid' => 'oclltontihs4', 'theme' => '', 'skeletondirectory' => '/srv/www/vhosts/cloud.robkalmeijer.nl/httpsdocs/core/skeleton', 'logfile' => '/var/log/nextcloud.log', 'loglevel' => 2, 'logfilemode' => 416, 'log_rotate_size' => 0, 'logo_url' => 'https://cloud.robkalmeijer.nl/', 'maintenance' => false, 'mail_from_address' => 'nextcloud', 'mail_smtpmode' => 'smtp', 'mail_sendmailmode' => 'smtp', 'mail_domain' => 'robkalmeijer.nl', 'mail_smtphost' => '127.0.0.1', 'mail_smtpport' => 25, 'mail_smtpsecure' => '', 'mail_send_plaintext_only' => false, 'default_phone_region' => 'NL', 'maintenance_window_start' => 1, 'memcache.local' => '\\OC\\Memcache\\APCu', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => array ( 'host' => '/run/redis/redis.sock', 'port' => 0, 'timeout' => 0.0, ), 'redis_log_file' => '/var/log/redis/redis_nextcloud.log', ); See also: [Httpserver](https://www.robkalmeijer.nl/techniek/computer/servers/http/index.html)

Try changing that to…

'overwrite.cli.url' => 'https://cloud.robkalmeijer.nl',

…and maybe also add the following lines:

'overwritehost' => 'cloud.robkalmeijer.nl',
'overwriteprotocol' => 'https',

Solved the problem.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.