Security Scan Error: INVALID_HASH

Operating system and version: Cloudlinux 7.9
Apache or nginx version: Apache 2.4.55
PHP version : 8.1
Nextcloud Hub 3: 25.0.3
Connecting using web browser (Chrome).

New setup. Ran the NextCloud Security Scan.


Technical information
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix

- core
		- .htaccess
		- .user.ini

Raw output
    [core] => Array
            [INVALID_HASH] => Array
                    [.htaccess] => Array
                            [expected] => d9cab0f077161bf043d6d85f5bcacbdfaf82913968b7706df9cf7e6f98b11af363f3843b455175ae775567916822fec8f6ab95000ba064c71e05c86a02196d95
                            [current] => 17c32c66e7a0eb4048813998f0f0b31f52af5abc00def7e1af3e6a4876546e67ea4dbec8b298d647f16b48e11c6a06ba4ff917ba5063f9411910bb51ec73e677

                    [.user.ini] => Array
                            [expected] => 4843b3217e91f8536cb9b52700efb20300290292cf6286f92794d4cec99df286afeb7dd6c91b1be20bc55eda541eef230a5c5e7dcd46c189edd0ed1e80c6d3f5
                            [current] => c5b570f9ea462872e62a275ab75d96ced3b0bd92b50ed77f04aae0ade7d6d87f5187ae9b056f19388bd498f3f8e01d6f11b5b04c80c617cf4374acb5031f8bb2




htaccess file:

      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
      RewriteEngine On
      RewriteCond %{HTTPS} off
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table:
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
    Header set Cache-Control "max-age=15778463"

  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)(\?v=.*)?$">
    Header set Cache-Control "max-age=15778463, immutable"

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"

# PHP 7.x
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true

# PHP 8+
<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddType application/wasm wasm
  AddEncoding gzip svgz

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html

<IfModule pagespeed_module>
  ModPagespeed Off

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]

AddDefaultCharset utf-8
Options -Indexes

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php81” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
# php -- END cPanel-generated handler, do not edit

ErrorDocument 403 //
ErrorDocument 404 //

user init file:


Could you please link your issues together, since you are clearly encountering many, which might be related.

Here is the link:

It is missing almost all of the questions from the template. Can you please add them depending on how you’ve installed Nextcloud with Docker, bare metal, Snap, VM, etc.

Nextcloud version (eg, 20.0.5): 25.0.3
Operating system and version (eg, Ubuntu 20.04): Cloudlinus 7.9
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.55
PHP version (eg, 7.4): 8.1

The issue you are facing: I am running a Security Scan and am received an error.

Is this the first time you’ve seen this error? (Y):

Steps to replicate it:

  1. Go to the Administration settings page
  2. Security & set up warnings will launch
  3. I receive a red error that there is an error regarding my setup
  4. I click on the list of “invalid files”
  5. I go to this page: /index.php/settings/integrity/failed
  6. Error log is posted in my earlier post

The output of your Nextcloud log in Admin > Logging:

There is no associated output	

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'ocwrisw1ouep',
  'passwordsalt' => 'ahu6FGjh659087GHkkh59igDaEuolKGdrY6',
  'secret' => 'yHfD59fJ6D4S0lKj765fHkGssaMk95G4dsN',
  'trusted_domains' => 
  array (
    0 => '',
    1 => '',
    2 => '',
    3 => '',
    4 => '',
    5 => '',
  'datadirectory' => '/home/zzz/',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => '',
  'dbname' => 'ddd_xxx',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'ddd_xxx',
  'dbpassword' => '1234567',
  'mysql.utf8mb4' => true,
  'installed' => true,
  'default_phone_region' => 'US',
  'mail_domain' => '',
  'mail_from_address' => 'user',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',

The output of your Apache/nginx/system log in /var/log/____:

No access--shared server.
Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

Don't see any.

Was installed using the Quick Install Wizard.

I noticed that the Invalid Hash for User disappears when I use Chrome as my browser instead of Safari.