Security scan is still using X-XSS-Protection

saettel.beifuss0 · October 27, 2025, 2:33am

I think X-XSS-Protection should no longer be used, but scan.nextcloud.com still makes use of it.

kesselb · October 27, 2025, 12:21pm

Thanks for reporting this

I’ve removed it from the code already, I just needs a deployment. I will update the github ticket once that’s done:

github.com/nextcloud/server

[Bug]: scan.nextcloud.com checks for X-XSS-Protection

opened 09:20PM - 02 Oct 25 UTC

closed 12:17PM - 27 Oct 25 UTC

b90g

bug 1. to develop 32-feedback

### ⚠️ This issue respects the following points: ⚠️ - [x] This is a **bug**, no…t a question or a configuration/webserver/proxy issue. - [x] This issue is **not** already reported on [Github](https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3Abug) OR [Nextcloud Community Forum](https://help.nextcloud.com/) _(I've searched it)_. - [x] Nextcloud Server **is** up to date. See [Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) for supported versions. - [x] I agree to follow Nextcloud's [Code of Conduct](https://nextcloud.com/contribute/code-of-conduct/). ### Bug description If i run this on a NC32 Server it complains. But NC32 states that XSS if obsolete: https://docs.nextcloud.com/server/latest/admin_manual/release_notes/upgrade_to_32.html#web-server-configuration So maybe dont check for it anymore. ### Steps to reproduce 1. open a Browser and visit https://scan.nextcloud.com 2. Check a NC32 instance 3. ### Expected behavior A+ on latest patch level with good config. ### Nextcloud Server version 32 ### Operating system Debian/Ubuntu ### PHP engine version PHP 8.4 ### Web server Nginx ### Database engine version PostgreSQL ### Is this bug present after an update or on a fresh install? Upgraded to a MAJOR version (ex. 31 to 32) ### Are you using the Nextcloud Server Encryption module? Encryption is Disabled ### What user-backends are you using? - [ ] Default user-backend _(database)_ - [ ] LDAP/ Active Directory - [ ] SSO - SAML - [x] Other ### Configuration report ```json "stdout_lines": [ "{", " \"system\": {", " \"instanceid\": \"***REMOVED SENSITIVE VALUE***\",", " \"passwordsalt\": \"***REMOVED SENSITIVE VALUE***\",", " \"secret\": \"***REMOVED SENSITIVE VALUE***\",", " \"datadirectory\": \"***REMOVED SENSITIVE VALUE***\",", " \"loglevel\": 0,", " \"logfile\": \"\\/data\\/nextcloud.log\",", " \"log_rotate_size\": 1048576,", " \"trashbin_retention_obligation\": \"90, 180\",", " \"version\": \"32.0.0.13\",", " \"installed\": true,", " \"default_phone_region\": \"DE\",", " \"maintenance\": false,", " \"theme\": \"\",", " \"filelocking.enabled\": true,", " \"updater.release.channel\": \"stable\",", " \"maintenance_window_start\": 5,", " \"defaultapp\": \"\",", " \"app_install_overwrite\": {", " \"0\": \"files_retention\",", " \"1\": \"drop_account\",", " \"3\": \"checksum\",", " \"4\": \"gluusso\",", " \"5\": \"apporder\",", " \"6\": \"side_menu\",", " \"7\": \"end_to_end_encryption\",", " \"8\": \"fulltextsearch_elasticsearch\",", " \"9\": \"fulltextsearch\",", " \"10\": \"files_fulltextsearch\",", " \"11\": \"metadata\",", " \"13\": \"flowupload\",", " \"14\": \"duplicatefinder\",", " \"15\": \"previewgenerator\",", " \"16\": \"gpgmailer\",", " \"17\": \"keeporsweep\",", " \"18\": \"appointments\",", " \"19\": \"files_antivirus\",", " \"20\": \"riotchat\",", " \"21\": \"news\",", " \"22\": \"money\",", " \"23\": \"uppush\",", " \"24\": \"memories\",", " \"25\": \"files_archive\",", " \"26\": \"deck\",", " \"27\": \"keeweb\"", " },", " \"memories.exiftool\": \"\\/var\\/www\\/apps\\/memories\\/bin-ext\\/exiftool-amd64-glibc\",", " \"memories.vod.path\": \"\\/var\\/www\\/apps\\/memories\\/bin-ext\\/go-vod-amd64\",", " \"enabledPreviewProviders\": [", " \"OC\\\\Preview\\\\Image\",", " \"OC\\\\Preview\\\\HEIC\",", " \"OC\\\\Preview\\\\TIFF\",", " \"OC\\\\Preview\\\\Movie\"", " ],", " \"preview_max_x\": 8192,", " \"preview_max_y\": 8192,", " \"preview_max_filesize_image\": 12,", " \"memories.vod.disable\": false,", " \"memories.vod.ffmpeg\": \"\\/bin\\/ffmpeg\",", " \"memories.vod.ffprobe\": \"\\/bin\\/ffprobe\",", " \"memories.video_default_quality\": \"-2\",", " \"memories.db.triggers.fcu\": true,", " \"twofactor_enforced\": \"false\",", " \"twofactor_enforced_groups\": [],", " \"twofactor_enforced_excluded_groups\": [],", " \"auth.webauthn.enabled\": false,", " \"memcache.local\": \"\\\\OC\\\\Memcache\\\\Redis\",", " \"memcache.distributed\": \"\\\\OC\\\\Memcache\\\\Redis\",", " \"memcache.locking\": \"\\\\OC\\\\Memcache\\\\Redis\",", " \"redis\": {", " \"host\": \"***REMOVED SENSITIVE VALUE***\",", " \"port\": 6379,", " \"timeout\": 1.5", " },", " \"dbtype\": \"pgsql\",", " \"dbname\": \"***REMOVED SENSITIVE VALUE***\",", " \"dbhost\": \"***REMOVED SENSITIVE VALUE***\",", " \"dbport\": \"5432\",", " \"dbtableprefix\": \"oc_\",", " \"mysql.utf8mb4\": true,", " \"dbuser\": \"***REMOVED SENSITIVE VALUE***\",", " \"dbpassword\": \"***REMOVED SENSITIVE VALUE***\",", " \"mail_smtpmode\": \"smtp\",", " \"mail_sendmailmode\": \"smtp\",", " \"mail_smtpauth\": 1,", " \"mail_smtphost\": \"***REMOVED SENSITIVE VALUE***\",", " \"mail_smtpport\": \"465\",", " \"mail_domain\": \"***REMOVED SENSITIVE VALUE***\",", " \"mail_from_address\": \"***REMOVED SENSITIVE VALUE***\",", " \"mail_smtpname\": \"***REMOVED SENSITIVE VALUE***\",", " \"mail_smtppassword\": \"***REMOVED SENSITIVE VALUE***\",", " \"mail_send_plaintext_only\": true,", " \"mail_smtpsecure\": \"ssl\",", " \"trusted_domains\": [", " \"***REMOVED SENSITIVE VALUE***\",", " \"***REMOVED SENSITIVE VALUE***\"", " ],", " \"trusted_proxies\": \"***REMOVED SENSITIVE VALUE***\",", " \"overwrite.cli.url\": \"https:\\/\\/***REMOVED SENSITIVE VALUE***\",", " \"htaccess.RewriteBase\": \"\\/\",", " \"overwriteprotocol\": \"https\",", " \"files.chunked_upload.max_size\": 536870912", " }", "}" ``` ### List of activated Apps ```shell "stdout_lines": [ "Enabled:", " - audioplayer: 3.5.1", " - calendar: 6.0.0", " - checksum: 1.2.6", " - cloud_federation_api: 1.16.0", " - contacts: 8.0.2", " - dav: 1.34.2", " - deck: 1.16.0", " - federatedfilesharing: 1.22.0", " - files: 2.4.0", " - files_antivirus: 6.0.5", " - files_downloadlimit: 5.0.0-dev.0", " - files_fulltextsearch: 31.0.0", " - files_pdfviewer: 5.0.0-dev.0", " - files_reminders: 1.5.0", " - files_sharing: 1.24.0", " - files_trashbin: 1.22.0", " - files_versions: 1.25.0", " - fulltextsearch: 31.0.0", " - fulltextsearch_elasticsearch: 31.0.0", " - keeweb: 0.6.22", " - lookup_server_connector: 1.20.0", " - money: 0.30.0", " - music: 2.3.0", " - news: 27.0.0", " - notes: 4.12.3", " - notifications: 5.0.0-dev.0", " - notify_push: 1.2.0", " - oauth2: 1.20.0", " - profile: 1.1.0", " - provisioning_api: 1.22.0", " - richdocuments: 9.0.0", " - riotchat: 0.19.0", " - settings: 1.15.1", " - systemtags: 1.22.0", " - text: 6.0.0-dev.0", " - theming: 2.7.0", " - twofactor_backupcodes: 1.21.0", " - uppush: 2.3.1", " - user_oidc: 8.0.0", " - viewer: 5.0.0-dev.0", " - workflowengine: 2.14.0", "Disabled:", " - activity: 5.0.0-dev.0 (installed 2.21.1)", " - admin_audit: 1.22.0 (installed 1.19.0)", " - app_api: 32.0.0 (installed 3.1.0)", " - bruteforcesettings: 5.0.0-dev.0 (installed 2.2.0)", " - circles: 32.0.0 (installed 29.0.0-dev)", " - comments: 1.22.0 (installed 1.22.0)", " - contactsinteraction: 1.13.1 (installed 1.10.0)", " - dashboard: 7.12.0 (installed 7.1.0)", " - encryption: 2.20.0", " - federation: 1.22.0 (installed 1.11.0)", " - files_external: 1.24.0 (installed 1.12.1)", " - firstrunwizard: 5.0.0-dev.0 (installed 2.9.0)", " - logreader: 5.0.0-dev.0 (installed 2.14.0)", " - nextcloud_announcements: 4.0.0-dev.0 (installed 1.9.0)", " - password_policy: 4.0.0-dev.0 (installed 1.19.0)", " - photos: 5.0.0-dev.1 (installed 2.5.0)", " - privacy: 4.0.0-dev.0 (installed 1.13.0)", " - recommendations: 5.0.0-dev.0 (installed 1.1.0)", " - related_resources: 3.0.0-dev.0 (installed 3.0.0-dev.0)", " - serverinfo: 4.0.0-dev.0 (installed 1.19.0)", " - sharebymail: 1.22.0 (installed 1.19.0)", " - support: 4.0.0-dev.0 (installed 1.3.0)", " - survey_client: 4.0.0-dev.0 (installed 1.8.0)", " - suspicious_login: 10.0.0-dev.0", " - twofactor_nextcloud_notification: 6.0.0-dev.0 (installed 3.10.0)", " - twofactor_totp: 14.0.0 (installed 11.0.0-dev)", " - updatenotification: 1.22.0 (installed 1.22.0)", " - user_ldap: 1.23.0 (installed 1.20.0)", " - user_status: 1.12.0 (installed 1.0.1)", " - weather_status: 1.12.0 (installed 1.1.0)", " - webhook_listeners: 1.3.0 (installed 1.1.0-dev)" ``` ### Nextcloud Signing status ```shell last time i checked everything was ok (got the checkmark on admin page) ``` ### Nextcloud Logs ```json . ``` ### Additional info this regards