The "Referrer-Policy" HTTP header is not set to "no-referrer"


The “Referrer-Policy” HTTP header is not set to “no-referrer”, “no-referrer-when-downgrade”, “strict-origin” or “strict-origin-when-cross-origin”. This can leak referer information.
There is a link to the documentation but no instructions on how to fix it.

Does anyone know which file and where to add the lines:

server {
    # Configuration
    add_header Referrer-Policy no-referrer always;

My first post and I apologise if I’ve left out any details.
Nextcloud version 14.0.0
Ubuntu Server 18.04

Steps to replicate it:

  1. Upgrade Nextcloud from last stable 13 to 14
  2. Settings/Overview/Security and setup warnings

Der "Referrer-Policy" HTTP-Header ist nicht gesetzt

Have a look here and paste whichever one you chose just below the line Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" in their example.


Header set Referrer-Policy “no-referrer”
in your .htaccess

On my installation it looks like this:

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Referrer-Policy "no-referrer"
    SetEnv modHeadersAvailable true


Thanks Soko,
For me on Ubuntu 18.04 it was a case of:

cd /var/www/html/nextcloud
sudo nano .htaccess

paste in: Header set Referrer-Policy “no-referrer” as per Soko’s answer.



Added the line as said but doesn’t work for me. Still getting that message.

Should be mentioned that I have a different structure:

Running Nextcloud 14.0 on Raspbian Debian Stretch 9.

What can I do?



mod_env active?

a2enmod env

I hope Nextcloud will fix the htaccess in the next release, see


That’s it. Thanks a lot!


This did not fix it for me. I don’t know if it’s because I’m using docker or what, but adding this to my nginx settings fixed it:

add_header Referrer-Policy no-referrer always;


Put it in your nextcloud apache config.
<IfModule mod_headers.c>

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

Header always set Referrer-Policy no-referrer



As the original poster, I just have to say, I’ve moved to Resilio. It’s far from perfect but nowhere near the overhead of running Nextcloud. I love NC, bit when it goes to shit, it really goes to shit and it is not an easy/quick recovery.
Besides that, the Android app STILL fails to sync reliably. Unless I actually check it, photos don’t get synced automatically.

Having said that… Neither does Resilio. But at least the Resilio app will tell you it isn’t synced.

This is crucial for my deployments.


this warning continues to appear after each update, even if it was already fixed, it would not be possible to include this modification in the original .htaccess?


Deploy nextcloud with docker. You will never look back. I used to have tons of issues with Owncloud, and then with standalone Nextcloud. The docker implementation has become effortless for me. Just a thought. I would not give up on Nextcloud just yet.


Cheers bkraul. I’ve played with the Docker versions before and I agree it’s a quick install. I had configuration issues oddly. I need to skill up on Docker.


Let me know if I can be of help. I settled with the fpm-alpine version of Nextcloud, using docker-compose (along with jwilder/nginx-proxy. I build an image of Nextcloud with additional functionality, and generally try to keep it up to date.

You can find the images here.

The last update I made to the nginx image addresses the issue in this thread. Let me know if you need any help with docker-compose.


Maybe that line should be added by default. In last two upgrades (last one to 14.0.3, and former to 14.0.1) I had to add it manually to my .htaccess, which fixed the issue.


adding it to .htaccess violates the integrity checks.
thats why @Anunnaki s post is the better option (unless it put in the .htaccess by nextcloud themselves)