[SOLVED] Docker NC17 tag "fpm" - The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"

Hi!
Docker NC 17.0 with “fpm” tag has

Removing “add_header X-Frame-Options “SAMEORIGIN”;” from Nginx config and “.htaccess” file doesn’t solve this problem!

Any ideas how to fix that?

PS: With docker NC 16.0.5 everything is Ok! But I can’t downgrade 17 to 16.0.5 :((

Hi,

Removing the header from the web server config was a solution before, when NC sent this header itself.
With NC17 that changed and NC doesn’t sent this header anymore by itself. Consequently users have to add the header to their web server configuration again.

When you go to the following page on your server as admin user, you can see the correct nginx config for NC17:
https://your.domain.tld/settings/help?mode=admin
(admin profile pic -> help -> Administration documentation -> Installation and server configuration -> Nginx configuration)

There you see the new, correct header settings:

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

Please don’t forget the second block, where the header has to added:

location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read into
    # this topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Optional: Don't log access to assets
    access_log off;
}

Thank you very much for your advice!
Now everything is fine!)
nc17-2

1 Like