Security: "__Host-Prefix", how to fix?

I want to fix this and get A+ on security scan.
NC version 13.0.2


Right, so what file I need to edit exactly inside /etc/apache2 ?
It’s the /etc/apache2/sites-enabled/nextcloud.conf ?

That totally depends on your system/ installation and I don’t know nothing about, except the fact that it’s NC 13.0.2 :wink:

So, if nextcloud.conf is the only file in that directory, then it is definitely this file where you need to apply the changes :wink:

├── 000-default.conf -> …/sites-available/000-default.conf
└── nextcloud.conf -> …/sites-available/nextcloud.conf

Debian Stretch
PHP 7.0.27
SQLite 3.16.2
Apache 2.4.25
NC dir /var/www/html/nextcloud

Any of my files haven’t an alias configured inside to comment out. Any other tips?

You should have a config file


that is the actual config file. The files in sites-enabled are symbolic links to that directory. Check that this is the case.

To start over, what is your exact problem? What does the security scan tell?

Security scan looks everything OK, except Host-Prefix issue that is pending to be fixed, after fix this I would get an A+ in scan, that’s all.—host-prefix-cookie-setting/9740

1 Like

Content of /etc/apache2/sites-available/nextcloud.conf file:

<IfModule mod_ssl.c>
   <VirtualHost _default_:443>

     ServerAdmin <hidden-for-security-purposes>
     ServerName <hidden-for-security-purposes>
     DocumentRoot /var/www/html

     <Directory /var/www/html/>
       Options +FollowSymlinks
       AllowOverride All

      <IfModule mod_dav.c>
        Dav off

       SetEnv HOME /var/www/html
       SetEnv HTTP_HOME /var/www/html

And is your nextcloud installation directly inside

or is it a subfolder like /var/www/html/nextcloud? I have my nextcloud installed in /var/www/nextcloud, and DocumentRoot and Directory point to that directory.
Does your URL look like or like



There’s a way to move data to root without do a fresh install?
Maybe I leave as it is due to not be a big security issue I think. Also I like my current server address (i.e:

Sure you can move the directory to /var/www/nextcloud. No need to reinstall. And you may like your address, but a subdomain like is preferred by the security checker. That may be the reason not to get A+. And the setup of a subdomain in your /etc/apache2/sites-available is easy too. BTW, https is also preferred.

I made these changes but still with score A on security scan. Anyways, I will leave as it is (in default dir /var/www/html/nextcloud).

Jep no worries about this. _host prefix is just not possible when having Nextcloud in a sub directory. About preferred or not, there were quite some discussions about this (just search for A+, etc) and some claim that using a sub directory is actually more secure.

1 Like

Hello all,

I have NextCloud on /var/www/nextcloud
And I access it via so no subfolder

When trying to get A+ on my NextCloud instance, I was left with just this issue and no way to deal with it. Seeing no solution that worked for me in any help threads I decided to move on, clearing the Security tips in the NextCloud Admin panel.

After setting my Referrer Policy to:
Header always set Referrer-Policy “no-referrer”
and running the scan again, I got the A+ rating and the __Host-Prefix issue was cleared.

Hope this helps any of you still having issues with it


Unfortunately that didn’t work for me (NC 14, php7.0).
It would be very helpful if NC docs could highlight the importance of certain steps in the install. While the docs say on an Apache install it is safe to put NC at the web root — the docs don’t say that the security check will be downgraded if you don’t. It is a real bore to go through the install only to basically rework steps if you want those last bits of security.

It is exactly the same with the hardening advice to take the data directory out of root. The install is done. That is really frustrating. Particularly for users running a command line / Linux install. Surely it wouldn’t be hard to include an explanation in the docs here about setting up storage correctly (i.e., out of root).

I don’t want to seem to harsh – I really appreciate the NC product – but really wish that the documentation could be sharpened up.

1 Like

Thanks! This is almost what I was looking for to resolve the __Host-Prefix complaint in the security scanner. The solution for me was as described in that article, adding Header set Referrer-Policy "no-referrer-when-downgrade" to the Apache config file for the Nextcloud virtualhost.

My Nextcloud install has always been as described here,
but was failing the __Host-Prefix check. I don’t understand why - looking at the cookies in the Firefox console, with or without the above change, I’m sent cookies with __Host-nc_sameSiteCookielax and __Host-nc_sameSiteCookiestrict with domain set to and path set to /. Also with that change, now I am sending two sets of Referrer-Policy headers in the same request, first no-referrer then no-referrer-when-downgrade (and just no-referrer without the line in the config file).

Wish I understood why this worked and what’s actually changing!

1 Like

I only just noticed that making this change also causes a warning to appear under “Security & setup warnings”, saying

The “Referrer-Policy” HTTP header is not set to “no-referrer”, “no-referrer-when-downgrade”, “strict-origin”, “strict-origin-when-cross-origin” or “same-origin”. This can leak referer information.

Maybe it’s combining the two “Referrer-Policy” replies into an array and thus the value does not equal one of those. On my setup, I have now reverted the changes in the previous post.

Adding the following to my Apache virtual host file fixed this for me:
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure;SameSite=Strict"

You can find more info on setting secure cookies here:

Also, if you are changing header settings in your apache virtual host file you need to match the syntax used in the nextcloud .htaccess file to prevent duplicate header settings. For instance, if you wanted to set Header set Referrer-Policy "no-referrer" globally in apache you would need to change that to Header always set Referrer-Policy "no-referrer" because the always set condition is now used in the Nextcloud /var/www/nextcloud/.htaccess file.
You can check your current headers here: