Security Scan: __Host-Prefix with NGINX and no proxy

RobMahn · April 22, 2022, 10:41pm

I have a home based Nextcloud which gives the Security Scan error:
__Host-Prefix
The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.

Server configuration detail

Operating system: Linux 5.10.0-13-686-pae #1 SMP Debian 5.10.106-1 (2022-03-17) i686
Webserver: nginx/1.18.0 (fpm-fcgi)
Database: pgsql PostgreSQL 13.5 (Debian 13.5-0+deb11u1) on i686-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 32-bit
PHP version: 8.0.17
Nextcloud version: 23.0.3 - 23.0.3.2

I have searched for a solution, but remedies revolve around apache and having a proxy. I have no proxy and am using NGINX.

Note that I have “Nextcloud in a subdir of the NGINX webroot” as documented on https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

anon75456558 · April 22, 2022, 11:02pm

Hi! Try searching within the forum, github and internet. Lots of info on each. Here is someone else who solved this:

and here are other results within the forum:

https://help.nextcloud.com/search?q=__Host-Prefix

RobMahn · April 25, 2022, 10:24pm

I had already done that search extensively and could not find the solution before I posted here. I had already studied the “I want to fix this and get A+ on security scan” and many others. I even tried the NGINX forums.

I did find references that say " Your nextcloud must be installed in a subdomain like cloud.example.tld and not in a subfolder like example.tld/nextcloud".

But, this was not mentioned as a limitation in https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. There was no explanation as to why subfolders cannot work to avoid this security problem or why they should be avoided.