Some headers are not set correctly on your instance even if set

Hi there

Since some time I am getting this error message. If you have any more questions or need more information or logs just let me know :slight_smile:. Thank you in advance very much for your help!

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • Nextcloud Hub 9 (30.0.2)
  • Operating system and version (e.g., Ubuntu 24.04):
    • Linux 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64
  • Web server and version (e.g, Apache 2.4.25):
    • Apache/2.4.62 (Debian)
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • Apache/2.4.62 (Debian)
  • PHP version (e.g, 8.3):
    • 8.2.26
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • Not sure, but some updates ago
  • Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)
    • Installation on VPS
  • Are you using Cloudflare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

In Tab “Security & setup warnings”, I get the following message:

Some headers are not set correctly on your instance - The X-Robots-Tag HTTP header is not set to noindex,nofollow. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-Permitted-Cross-Domain-Policies HTTP header is not set to none. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection HTTP header does not contain 1; mode=block. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The Referrer-Policy HTTP header is not set to no-referrer, no-referrer-when-downgrade, strict-origin, strict-origin-when-cross-origin or same-origin. This can leak referer information. See the W3C Recommendation. - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation :arrow_upper_right:.

I have seen Github-Issues relating to a similar problem, but the Update in which the fix was included, did not help in my case. The curl -I command shows all the headers being applied. I also used securityheaders.com to verify, if the headers work, and they do. It’s just that Nextcloud does not seem to recognise that… I also tried manually adding the headers to the sites-enabled.conf-files, and the .htaccess-file in nextcloud-root.

Steps to replicate it:

Behaviour is not reproducible by following steps

Log entries

Nextcloud

Pastebin (Will expire in 1 Month)

Web server / Reverse Proxy

Pastebin (Will expire in 1 Month)

Configuration

Nextcloud

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "185.216.178.208",
            "cloud.ron.swiss"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.2.2",
        "overwrite.cli.url": "http:\/\/185.216.178.208\/nextcloud",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "CH",
        "simpleSignUpLink.shown": false,
        "maintenance_window_start": 1,
        "overwriteprotocol": "https",
        "updater.release.channel": "stable",
        "x-robots-tag": "noindex, nofollow"
    }
}

Apps

Enabled:
  - activity: 3.0.0
  - admin_audit: 1.20.0
  - app_api: 4.0.0
  - bruteforcesettings: 3.0.0
  - circles: 30.0.0
  - cloud_federation_api: 1.13.0
  - comments: 1.20.1
  - contactsinteraction: 1.11.0
  - dav: 1.31.1
  - federatedfilesharing: 1.20.0
  - federation: 1.20.0
  - files: 2.2.0
  - files_downloadlimit: 3.0.0
  - files_external: 1.22.0
  - files_pdfviewer: 3.0.0
  - files_reminders: 1.3.0
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1
  - files_versions: 1.23.0
  - firstrunwizard: 3.0.0
  - logreader: 3.0.0
  - lookup_server_connector: 1.18.0
  - nextcloud_announcements: 2.0.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - password_policy: 2.0.0
  - photos: 3.0.2
  - privacy: 2.0.0
  - provisioning_api: 1.20.0
  - recommendations: 3.0.0
  - related_resources: 1.5.0
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - support: 2.0.0
  - systemtags: 1.20.0
  - text: 4.1.0
  - theming: 2.5.0
  - twofactor_backupcodes: 1.19.0
  - twofactor_totp: 12.0.0-dev
  - updatenotification: 1.20.0
  - user_status: 1.10.0
  - viewer: 3.0.0
  - weather_status: 1.10.0
  - webhook_listeners: 1.1.0-dev
  - workflowengine: 2.12.0
Disabled:
  - dashboard: 7.10.0 (installed 7.0.0)
  - encryption: 2.18.0
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - survey_client: 2.0.0 (installed 1.16.0)
  - suspicious_login: 8.0.0
  - twofactor_nextcloud_notification: 4.0.0
  - user_ldap: 1.21.0