Hi there
Since some time I am getting this error message. If you have any more questions or need more information or logs just let me know . Thank you in advance very much for your help!
The Basics
- Nextcloud Server version (e.g., 29.x.x):
Nextcloud Hub 9 (30.0.2)
- Operating system and version (e.g., Ubuntu 24.04):
Linux 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64
- Web server and version (e.g, Apache 2.4.25):
Apache/2.4.62 (Debian)
- Reverse proxy and version _(e.g. nginx 1.27.2)
Apache/2.4.62 (Debian)
- PHP version (e.g, 8.3):
8.2.26
- Is this the first time you’ve seen this error? (Yes / No):
Yes
- When did this problem seem to first start?
Not sure, but some updates ago
- Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)
Installation on VPS
- Are you using Cloudflare, mod_security, or similar? (Yes / No)
No
Summary of the issue you are facing:
In Tab “Security & setup warnings”, I get the following message:
Some headers are not set correctly on your instance - The
X-Robots-Tag
HTTP header is not set tonoindex,nofollow
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - TheX-Permitted-Cross-Domain-Policies
HTTP header is not set tonone
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - TheX-XSS-Protection
HTTP header does not contain1; mode=block
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - TheReferrer-Policy
HTTP header is not set tono-referrer
,no-referrer-when-downgrade
,strict-origin
,strict-origin-when-cross-origin
orsame-origin
. This can leak referer information. See the W3C Recommendation. - TheStrict-Transport-Security
HTTP header is not set (should be at least15552000
seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation .
I have seen Github-Issues relating to a similar problem, but the Update in which the fix was included, did not help in my case. The curl -I command shows all the headers being applied. I also used securityheaders.com to verify, if the headers work, and they do. It’s just that Nextcloud does not seem to recognise that… I also tried manually adding the headers to the sites-enabled.conf-files, and the .htaccess-file in nextcloud-root.
Steps to replicate it:
Behaviour is not reproducible by following steps
Log entries
Nextcloud
Pastebin (Will expire in 1 Month)
Web server / Reverse Proxy
Pastebin (Will expire in 1 Month)
Configuration
Nextcloud
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"185.216.178.208",
"cloud.ron.swiss"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "30.0.2.2",
"overwrite.cli.url": "http:\/\/185.216.178.208\/nextcloud",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"maintenance": false,
"theme": "",
"loglevel": 2,
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"default_phone_region": "CH",
"simpleSignUpLink.shown": false,
"maintenance_window_start": 1,
"overwriteprotocol": "https",
"updater.release.channel": "stable",
"x-robots-tag": "noindex, nofollow"
}
}
Apps
Enabled:
- activity: 3.0.0
- admin_audit: 1.20.0
- app_api: 4.0.0
- bruteforcesettings: 3.0.0
- circles: 30.0.0
- cloud_federation_api: 1.13.0
- comments: 1.20.1
- contactsinteraction: 1.11.0
- dav: 1.31.1
- federatedfilesharing: 1.20.0
- federation: 1.20.0
- files: 2.2.0
- files_downloadlimit: 3.0.0
- files_external: 1.22.0
- files_pdfviewer: 3.0.0
- files_reminders: 1.3.0
- files_sharing: 1.22.0
- files_trashbin: 1.20.1
- files_versions: 1.23.0
- firstrunwizard: 3.0.0
- logreader: 3.0.0
- lookup_server_connector: 1.18.0
- nextcloud_announcements: 2.0.0
- notifications: 3.0.0
- oauth2: 1.18.1
- password_policy: 2.0.0
- photos: 3.0.2
- privacy: 2.0.0
- provisioning_api: 1.20.0
- recommendations: 3.0.0
- related_resources: 1.5.0
- serverinfo: 2.0.0
- settings: 1.13.0
- sharebymail: 1.20.0
- support: 2.0.0
- systemtags: 1.20.0
- text: 4.1.0
- theming: 2.5.0
- twofactor_backupcodes: 1.19.0
- twofactor_totp: 12.0.0-dev
- updatenotification: 1.20.0
- user_status: 1.10.0
- viewer: 3.0.0
- weather_status: 1.10.0
- webhook_listeners: 1.1.0-dev
- workflowengine: 2.12.0
Disabled:
- dashboard: 7.10.0 (installed 7.0.0)
- encryption: 2.18.0
- files_rightclick: 0.15.1 (installed 1.6.0)
- survey_client: 2.0.0 (installed 1.16.0)
- suspicious_login: 8.0.0
- twofactor_nextcloud_notification: 4.0.0
- user_ldap: 1.21.0