The "Referrer-Policy" HTTP header is not set to "no-referrer"

Thanks Soko,
For me on Ubuntu 18.04 it was a case of:

cd /var/www/html/nextcloud
sudo nano .htaccess

paste in: Header set Referrer-Policy “no-referrer” as per Soko’s answer.

Done.

2 Likes

Added the line as said but doesn’t work for me. Still getting that message.

Should be mentioned that I have a different structure:
/var/www/nextcloud/.htaccess

Running Nextcloud 14.0 on Raspbian Debian Stretch 9.

What can I do?

BR
Michael

mod_env active?

a2enmod env

I hope Nextcloud will fix the htaccess in the next release, see https://github.com/nextcloud/server/issues/11099

1 Like

That’s it. Thanks a lot!

This did not fix it for me. I don’t know if it’s because I’m using docker or what, but adding this to my nginx settings fixed it:

add_header Referrer-Policy no-referrer always;
1 Like

Put it in your nextcloud apache config.
<IfModule mod_headers.c>

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

Header always set Referrer-Policy no-referrer

</IfModule>

3 Likes

As the original poster, I just have to say, I’ve moved to Resilio. It’s far from perfect but nowhere near the overhead of running Nextcloud. I love NC, bit when it goes to shit, it really goes to shit and it is not an easy/quick recovery.
Besides that, the Android app STILL fails to sync reliably. Unless I actually check it, photos don’t get synced automatically.

Having said that… Neither does Resilio. But at least the Resilio app will tell you it isn’t synced.

This is crucial for my deployments.

1 Like

this warning continues to appear after each update, even if it was already fixed, it would not be possible to include this modification in the original .htaccess?

1 Like

Deploy nextcloud with docker. You will never look back. I used to have tons of issues with Owncloud, and then with standalone Nextcloud. The docker implementation has become effortless for me. Just a thought. I would not give up on Nextcloud just yet.

1 Like

Cheers bkraul. I’ve played with the Docker versions before and I agree it’s a quick install. I had configuration issues oddly. I need to skill up on Docker.

Let me know if I can be of help. I settled with the fpm-alpine version of Nextcloud, using docker-compose (along with jwilder/nginx-proxy. I build an image of Nextcloud with additional functionality, and generally try to keep it up to date.

You can find the images here.

The last update I made to the nginx image addresses the issue in this thread. Let me know if you need any help with docker-compose.

Maybe that line should be added by default. In last two upgrades (last one to 14.0.3, and former to 14.0.1) I had to add it manually to my .htaccess, which fixed the issue.

adding it to .htaccess violates the integrity checks.
thats why @Anunnaki s post is the better option (unless it put in the .htaccess by nextcloud themselves)

1 Like

Hi. I also keep getting this message. As if the set header values are not picked up.

In the /etc/httpd/sites-enabled/host_ssl.conf I’ve put this between the “VirtualHost” tag:

 <IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  Header always set Referrer-Policy "no-referrer"
 </IfModule>

In the .htaccess file looks like:

<IfModule mod_env.c>
 # Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
SetEnv modHeadersAvailable true
</IfModule>

Thus far I’m unable to get rid of the message under Security & setup warnings.

I’m using Centos7.5 with webstatic php71-fpm and mariadb 10.3.
The headers module appears to be loaded when issuing the command httpd -M.

Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
... TRUNCATED ....
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
.... TRUNCATED ....

I’m pretty much out of options here. Is there someone here to help point into the right direction?

1 Like

I am also getting this error and can’t get rid of it. Tried the above methods to no avail.

So I did some extra digging, and it looks the HTTP headers are set correctly:

On https://securityheaders.com you can scan your site for security headers.
According to the scan the two headers I mentioned are set correclty (apart from the newly introduced Feature-Policy security header):

But my Nextcloud install is saying it is not set.
So who’s the blame here. Is Nextcloud reading the headers incorrecty?
Is the site securityheaders.com wrong?
From what I’m seeing here all is correctly setup.

Because when I comment out the lines in my httpd config file and restart httpd and run the scan again it comes back red.

[EDIT]
Thanks the site I noticed it was complaining about the Referrer-Policy was being set twice!
One in the HTTPD config and once in the .htaccess file in the root of Nextcloud.
After deleting the line in .htaccess of the Nextcloud installation, all checks turned green.
So basically setting the values need to be done only in one place. Either the httpd config file of in .htaccess the way see it.
So coming back to my questions, the nextcloud configuration was partially wrong. Instead of saying the Referrer-Policy HTTP header is not set, it should have said it is seeing the Referrer-Policy twice. That way you know that the policy is set correctly, but one to many times.

4 Likes

Cool - that brought me to the solution:

I get a warning about some unknown directlve when I just copied the line.

Now I changed the double quotes in .htaccess and just retyped them and all warnings and errors are gone - in Nextcloud and on the securityheaders - great!

Maybe copying this
Header set Referrer-Policy “no-referrer”
helps?

Hi there,

just for info: I am usually having a similar problem as I have set my header policy in the vhost file of Apache.
Nextcloud comes with same headers at the .htaccess file.

My common practice is to delete the headers at .htaccess file.

Yeah. And that to. Blindly copying these lines into vi changed the quotes into fancy once, like this:

“ ”

Linux does not see these as quotes. Replace them with straight quotes:

" "

Realized it wasn’t loading the htaccess files so I added the AllowOverride All to the vhost and that fixed it.