Security warning on "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"

After installing SSL certificate from Letsencrypt I see this warning on “security and setup warnings” under basic settings.

The output of curl -v for my server name shows: IP address and hostname are not the real ones.

  • Rebuilt URL to: https://example.com/
  • Trying 10.10.10.10…
  • TCP_NODELAY set
  • Connected to example.com (10.10.10.10) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=example.com
  • start date: Sep 12 01:16:00 2018 GMT
  • expire date: Dec 11 01:16:00 2018 GMT
  • subjectAltName: host “example.com” matched cert’s “example.com
  • issuer: C=US; O=Let’s Encrypt; CN=Let’s Encrypt Authority X3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x556b4a2c2740)

GET / HTTP/2
Host: example.com
User-Agent: curl/7.58.0
Accept: /

  • Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    < HTTP/2 302
    < server: nginx/1.14.0 (Ubuntu)
    < date: Tue, 18 Sep 2018 20:38:29 GMT
    < content-type: text/html; charset=UTF-8
    < location: https://example.com/login
    < set-cookie: oc95enbpecg7=9kfchel9h43k12bamever0lnvc; path=/; secure; HttpOnly
    < expires: Thu, 19 Nov 1981 08:52:00 GMT
    < cache-control: no-store, no-cache, must-revalidate
    < pragma: no-cache
    < set-cookie: oc_sessionPassphrase=KwL%2FSUtHD039vW3Xs3MeeAV0DjLnT%2FwfAP9tgU8KHCztAE%2Fjz%2Fo1KDq3zGdvbnhwFuetmJAAXzGMuCD4wj3lWi7anSmLDnDyl0ZgJfRrNSZgcmFL3stRV9cTEo6OOjct; path=/; secure; HttpOnly
    < content-security-policy: default-src ‘self’; script-src ‘self’ ‘unsafe-eval’ ‘nonce-V0orQ0J1MTNoWWlDR0xCNm94T01TenlSRnIybMplMzR5TVZ5TzRyMmp5VT06SWMzdWTkY215ZnJyTDRNTzdtdmhKQXJRWlBUMFNwdWZwNlFEU002SHVXND0=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’;
    < x-frame-options: SAMEORIGIN
    < set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
    < set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
    < strict-transport-security: max-age=15768000; includeSubdomains; preload
    < x-frame-options: SAMEORIGIN
    < x-content-type-options: nosniff
    < x-xss-protection: 1; mode=block
    < x-robots-tag: none
    < x-download-options: noopen
    < x-permitted-cross-domain-policies: none
    <
  • Connection #0 to host example.com left intact

I see that X-Frame-Options" HTTP header is not set to “SAMEORIGIN”; shows twice in the output. I did this test where I marked out # this line in the /etc/nginx/snippet/ssl.conf file

Doing so the warning goes away and all checks are passed, but when I reboot the server nginx does not start anymore. I enabled the entry back on that file ssl.conf and nginx works fine but warnings comes up again.

Is there another location where this entry could be?

My OS is ubuntu 18.04 with Nginx, maria db and nextcloud 13.0.6

The entry does exist in /etc/nginx/sites-available/nextcould.conf file and is marked out (disabled) If I enable here I then see three the line repeated three times in the curl -v output.

Looks like I have to disable it from another file but cannot find where this entry gets enforced.

Any idea?

Thanks,

  • I have the same problem.

In the Nginx configuration the Same-Origin header was removed. This is now handled in PHP and keeping it will result in a wrong header. Please remove those lines in your Nginx config: add_headerX-Frame-Options "SAMEORIGIN";

https://docs.nextcloud.com/server/13/admin_manual/release_notes.html?highlight=frame#updates-to-nginx-configuration

Thanks MeiRos for the info. The entry for add_headerX-Frame-Options "SAMEORIGIN"; is marked out, it has a # in front in the nextcloud.conf file. Isn’t that equivalent of the entry not being there?

You are saying this function is now handled from php. How? Would you know which file in the php config has the entry defined? The php.ini in the /etc/php/7.2/fpm does not have this entry at all. I looked at other files but cannot find any.

Only one I found was in the ssl.conf file. Yes, if I remove from there then the warning goes away and nextcloud says all checks passed, but… the nginx does not start if I reboot the server with the entry removed from this file.

I’m not sure which file loads this entry first in the curl -v output that I have pasted above. I know the 2nd one gets added from ssl.conf file under /etc/nginx/snippets directory.

Thanks,

I don’t know how it’s handled, but I had the same (or similar) problem and removing the entry from nginx conf (nextcloud.conf) file and from the files, which are included in nginx conf file fixed it.

I don’t understand why your settings are working if you restart nginx manually after you edit ssl.conf, but not after reboot.
If you reboot so your nginx isn’t working, what do you get if you run

sudo systemctl status nginx

?

Can you start nginx manually when it wasn’t running after reboot?

I installed like 58 updates in the Ubuntu 18.04 and after doing so and testing the removal of the entry from ssl.conf file nginx status is now loaded and no errors. The warning is gone now. I’m not sure what happened but all checks are fine now and I see only one entry of this header loaded from some php config (not sure yet though which file contributes to this from php)

I tested with reboot and niginx comes up fine now.

I’ll consider this as resolved for now. Thanks for your replies.

That’s great! :+1: