Security: "__Host-Prefix", how to fix?

/etc/apache2/sites-enabled/
├── 000-default.conf -> …/sites-available/000-default.conf
└── nextcloud.conf -> …/sites-available/nextcloud.conf

Debian Stretch
PHP 7.0.27
SQLite 3.16.2
Apache 2.4.25
NC dir /var/www/html/nextcloud

Any of my files haven’t an alias configured inside to comment out. Any other tips?

You should have a config file

/etc/apache2/sites-available/nextcloud.conf

that is the actual config file. The files in sites-enabled are symbolic links to that directory. Check that this is the case.

To start over, what is your exact problem? What does the security scan tell?

Security scan looks everything OK, except Host-Prefix issue that is pending to be fixed, after fix this I would get an A+ in scan, that’s all.

https://help.nextcloud.com/t/security—host-prefix-cookie-setting/9740

1 Like

Content of /etc/apache2/sites-available/nextcloud.conf file:

<IfModule mod_ssl.c>
   <VirtualHost _default_:443>

     ServerAdmin <hidden-for-security-purposes>
     ServerName <hidden-for-security-purposes>
     DocumentRoot /var/www/html

     <Directory /var/www/html/>
       Options +FollowSymlinks
       AllowOverride All

      <IfModule mod_dav.c>
        Dav off
      </IfModule>

       SetEnv HOME /var/www/html
       SetEnv HTTP_HOME /var/www/html
     </Directory>

And is your nextcloud installation directly inside

or is it a subfolder like /var/www/html/nextcloud? I have my nextcloud installed in /var/www/nextcloud, and DocumentRoot and Directory point to that directory.
Does your URL look like cloud.domain.com or like domain.com/cloud?

@eehmke

/var/www/html/nextcloud

There’s a way to move data to root without do a fresh install?
Maybe I leave as it is due to not be a big security issue I think. Also I like my current server address (i.e: domain.com/nextcloud)

Sure you can move the directory to /var/www/nextcloud. No need to reinstall. And you may like your address, but a subdomain like nextcloud.domain.com is preferred by the security checker. That may be the reason not to get A+. And the setup of a subdomain in your /etc/apache2/sites-available is easy too. BTW, https is also preferred.
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/harden_server.html

I made these changes but still with score A on security scan. Anyways, I will leave as it is (in default dir /var/www/html/nextcloud).

Jep no worries about this. _host prefix is just not possible when having Nextcloud in a sub directory. About preferred or not, there were quite some discussions about this (just search for A+, scan.nextcloud.com etc) and some claim that using a sub directory is actually more secure.

1 Like

Hello all,

I have NextCloud on /var/www/nextcloud
And I access it via data.example.net/index.php so no subfolder

When trying to get A+ on my NextCloud instance, I was left with just this issue and no way to deal with it. Seeing no solution that worked for me in any help threads I decided to move on, clearing the Security tips in the NextCloud Admin panel.

After setting my Referrer Policy to:
Header always set Referrer-Policy “no-referrer”
and running the scan again, I got the A+ rating and the __Host-Prefix issue was cleared.

Hope this helps any of you still having issues with it

2 Likes

Unfortunately that didn’t work for me (NC 14, php7.0).
It would be very helpful if NC docs could highlight the importance of certain steps in the install. While the docs say on an Apache install it is safe to put NC at the web root — the docs don’t say that the security check will be downgraded if you don’t. It is a real bore to go through the install only to basically rework steps if you want those last bits of security.

It is exactly the same with the hardening advice to take the data directory out of root. The install is done. That is really frustrating. Particularly for users running a command line / Linux install. Surely it wouldn’t be hard to include an explanation in the docs here about setting up storage correctly (i.e., out of root).

I don’t want to seem to harsh – I really appreciate the NC product – but really wish that the documentation could be sharpened up.

1 Like

Thanks! This is almost what I was looking for to resolve the __Host-Prefix complaint in the security scanner. The solution for me was as described in that article, adding Header set Referrer-Policy "no-referrer-when-downgrade" to the Apache config file for the Nextcloud virtualhost.

My Nextcloud install has always been as described here,
but was failing the __Host-Prefix check. I don’t understand why - looking at the cookies in the Firefox console, with or without the above change, I’m sent cookies with __Host-nc_sameSiteCookielax and __Host-nc_sameSiteCookiestrict with domain set to mycloud.example.com and path set to /. Also with that change, now I am sending two sets of Referrer-Policy headers in the same request, first no-referrer then no-referrer-when-downgrade (and just no-referrer without the line in the config file).

Wish I understood why this worked and what’s actually changing!

1 Like

I only just noticed that making this change also causes a warning to appear under “Security & setup warnings”, saying

The “Referrer-Policy” HTTP header is not set to “no-referrer”, “no-referrer-when-downgrade”, “strict-origin”, “strict-origin-when-cross-origin” or “same-origin”. This can leak referer information.

Maybe it’s combining the two “Referrer-Policy” replies into an array and thus the value does not equal one of those. On my setup, I have now reverted the changes in the previous post.

Adding the following to my Apache virtual host file fixed this for me:
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure;SameSite=Strict"

You can find more info on setting secure cookies here:


Also, if you are changing header settings in your apache virtual host file you need to match the syntax used in the nextcloud .htaccess file to prevent duplicate header settings. For instance, if you wanted to set Header set Referrer-Policy "no-referrer" globally in apache you would need to change that to Header always set Referrer-Policy "no-referrer" because the always set condition is now used in the Nextcloud /var/www/nextcloud/.htaccess file.
You can check your current headers here: https://securityheaders.com/

Dear Steve,
I am running NextCloud 20.0.1 on Ubuntu 20.04.1 with Apache 2.4.41 and php 7.4. I am trying to fix the __Host-Prefix issue. I am running Nextcloud in /var/www/nextcloud from a domain https://www.mydomain.nl which is solely used for nextcloud.

I am trying to figure out what you mean with “my Apache virtual host file” in your message above. If I look at Geekflare’s site it seems to be httpd.conf. Trying to find this file it also seems to be possebly named /etc/apache2/apache2.conf as that file is on my system.

As you understand I am not very good at this. Is it possible to give some more info how to implement your suggestion? Thanks a lot! Cees.

Hi Cees,
The /etc/apache2/apache2.conf file you mention is the main apache config file. You probably don’t want to mess with that.
References to an httpd.conf file or /etc/httpd/conf.d/ directory are going to be for Red Hat and similar installations.
In Apache on Ubuntu you will usually find your virtual host files in /etc/apache2/sites-available
These are the config files for your virtual hosts. When you enable them with the command

   sudo a2ensite name_of_site.conf
   sudo systemctl restart apache2

You will see an alias created in /etc/apache2/sites-enabled for each site that was enabled.
There can be multiple files that are enabled that will affect your site. I think Ubuntu has a 000-default.conf and a default-ssl.conf that are both enabled and used by a default install of Nextcloud.
The virtual host blocks will look like this:

<VirtualHost *:80>
host configuration options are set in here somewhere.
</VirtualHost>

In my case I set the following security header outside of the virtual host block so that it affects all my hosts but you could put it inside as well:

# Implement cookie HTTP header flag with HTTPOnly & Secure to protect a website from XSS attacks
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure;SameSite=Strict"

<VirtualHost *:80>
host configuration options are set in here somewhere.
</VirtualHost>

Your host files might look different depending on how you have set up Apache. But you would probably want to set that in the 000-default.conf or if you created the file /etc/apache2/sites-available/nextcloud.conf I would set it there. Either way you should check the sites-enabled directory to see what you actually have enabled.

You should have a look at the documentation for apache on nextcloud. Understanding apache configuration is a big topic and is probably going to take some time to get comfortable with:

Another good resource is the Mozilla SSL configuration generator. It will give you an idea of what your virtual host file might look like:

1 Like

Thanks for your explanation.

I put this line in my /etc/apache2/sites-available/nextcloud-le-ssl.conf between and <VirtualHost *:443>.

From my Windows machine I did not notice any change. The “__Host-Prefix” did not get fixed.

Later on I noticed that when I uploaded files from my Android tablet it would not work. After removing the lines again from the nextcloud-le-ssl.conf file I got messages that there where duplicate files, that I solved later.

I must have understood you incorrectly Later I noticed you have this in a file for port 80 where I used it in a configuration file for port 443. Also it was not for the Host_prefix issue but for XSS attacks. Sorry I misunderstood you here.

You got me reading the documentation for Nextcloud however. Thats what I am going to do much more!

What helped me is commenting ServerPath /nextcloud line in the Apache config file.

1 Like