The "Referrer-Policy" HTTP header is not set to "no-referrer"


#1

The “Referrer-Policy” HTTP header is not set to “no-referrer”, “no-referrer-when-downgrade”, “strict-origin” or “strict-origin-when-cross-origin”. This can leak referer information.
There is a link to the documentation but no instructions on how to fix it.

Does anyone know which file and where to add the lines:

server {
    # Configuration
    add_header Referrer-Policy no-referrer always;
}

My first post and I apologise if I’ve left out any details.
Nextcloud version 14.0.0
Ubuntu Server 18.04

Steps to replicate it:

  1. Upgrade Nextcloud from last stable 13 to 14
  2. Settings/Overview/Security and setup warnings

Der "Referrer-Policy" HTTP-Header ist nicht gesetzt
Occ error after update 14
#2

Have a look here and paste whichever one you chose just below the line Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" in their example.


#3

Set
Header set Referrer-Policy “no-referrer”
in your .htaccess

On my installation it looks like this:

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Referrer-Policy "no-referrer"
    SetEnv modHeadersAvailable true
  </IfModule>

#4

Thanks Soko,
For me on Ubuntu 18.04 it was a case of:

cd /var/www/html/nextcloud
sudo nano .htaccess

paste in: Header set Referrer-Policy “no-referrer” as per Soko’s answer.

Done.


#5

Added the line as said but doesn’t work for me. Still getting that message.

Should be mentioned that I have a different structure:
/var/www/nextcloud/.htaccess

Running Nextcloud 14.0 on Raspbian Debian Stretch 9.

What can I do?

BR
Michael


#6

mod_env active?

a2enmod env

I hope Nextcloud will fix the htaccess in the next release, see https://github.com/nextcloud/server/issues/11099


#7

That’s it. Thanks a lot!


#9

This did not fix it for me. I don’t know if it’s because I’m using docker or what, but adding this to my nginx settings fixed it:

add_header Referrer-Policy no-referrer always;

#10

Put it in your nextcloud apache config.
<IfModule mod_headers.c>

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

Header always set Referrer-Policy no-referrer

</IfModule>


#11

As the original poster, I just have to say, I’ve moved to Resilio. It’s far from perfect but nowhere near the overhead of running Nextcloud. I love NC, bit when it goes to shit, it really goes to shit and it is not an easy/quick recovery.
Besides that, the Android app STILL fails to sync reliably. Unless I actually check it, photos don’t get synced automatically.

Having said that… Neither does Resilio. But at least the Resilio app will tell you it isn’t synced.

This is crucial for my deployments.


#12

this warning continues to appear after each update, even if it was already fixed, it would not be possible to include this modification in the original .htaccess?


#13

Deploy nextcloud with docker. You will never look back. I used to have tons of issues with Owncloud, and then with standalone Nextcloud. The docker implementation has become effortless for me. Just a thought. I would not give up on Nextcloud just yet.


#14

Cheers bkraul. I’ve played with the Docker versions before and I agree it’s a quick install. I had configuration issues oddly. I need to skill up on Docker.


#15

Let me know if I can be of help. I settled with the fpm-alpine version of Nextcloud, using docker-compose (along with jwilder/nginx-proxy. I build an image of Nextcloud with additional functionality, and generally try to keep it up to date.

You can find the images here.

The last update I made to the nginx image addresses the issue in this thread. Let me know if you need any help with docker-compose.


#16

Maybe that line should be added by default. In last two upgrades (last one to 14.0.3, and former to 14.0.1) I had to add it manually to my .htaccess, which fixed the issue.


#17

adding it to .htaccess violates the integrity checks.
thats why @Anunnaki s post is the better option (unless it put in the .htaccess by nextcloud themselves)


#18

Hi. I also keep getting this message. As if the set header values are not picked up.

In the /etc/httpd/sites-enabled/host_ssl.conf I’ve put this between the “VirtualHost” tag:

 <IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  Header always set Referrer-Policy "no-referrer"
 </IfModule>

In the .htaccess file looks like:

<IfModule mod_env.c>
 # Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
SetEnv modHeadersAvailable true
</IfModule>

Thus far I’m unable to get rid of the message under Security & setup warnings.

I’m using Centos7.5 with webstatic php71-fpm and mariadb 10.3.
The headers module appears to be loaded when issuing the command httpd -M.

Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
... TRUNCATED ....
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
.... TRUNCATED ....

I’m pretty much out of options here. Is there someone here to help point into the right direction?


#19

I am also getting this error and can’t get rid of it. Tried the above methods to no avail.


#20

So I did some extra digging, and it looks the HTTP headers are set correctly:

On https://securityheaders.com you can scan your site for security headers.
According to the scan the two headers I mentioned are set correclty (apart from the newly introduced Feature-Policy security header):

But my Nextcloud install is saying it is not set.
So who’s the blame here. Is Nextcloud reading the headers incorrecty?
Is the site securityheaders.com wrong?
From what I’m seeing here all is correctly setup.

Because when I comment out the lines in my httpd config file and restart httpd and run the scan again it comes back red.

[EDIT]
Thanks the site I noticed it was complaining about the Referrer-Policy was being set twice!
One in the HTTPD config and once in the .htaccess file in the root of Nextcloud.
After deleting the line in .htaccess of the Nextcloud installation, all checks turned green.
So basically setting the values need to be done only in one place. Either the httpd config file of in .htaccess the way see it.
So coming back to my questions, the nextcloud configuration was partially wrong. Instead of saying the Referrer-Policy HTTP header is not set, it should have said it is seeing the Referrer-Policy twice. That way you know that the policy is set correctly, but one to many times.


#21

Cool - that brought me to the solution:

I get a warning about some unknown directlve when I just copied the line.

Now I changed the double quotes in .htaccess and just retyped them and all warnings and errors are gone - in Nextcloud and on the securityheaders - great!

Maybe copying this
Header set Referrer-Policy “no-referrer”
helps?