The "SAMEORIGIN" warning does not go away!

Hi, after the update to nextcloud the following configuration message appeared:

The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN”. This is a potential security or privacy risk, and we recommend changing this setting.

To solve the security bug I added the following string in the .htaccess file:
Header always append X-Frame-Options SAMEORIGIN

But the warning continues to show up.

What is this problem due to? thank you so much

1 Like

Put this into .htaccess:

Header set X-Frame-Options "SAMEORIGIN"

1 Like

I tried, but the error always occurs :frowning:

In NC 11+ the X-Frame-Options header is set automatically by PHP to SAMEORIGIN.

See:
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/harden_server.html?highlight=sameorigin

Security header test here:

1 Like

I have exact the same situation as giuseppe_giordano

1 Like

if i go to https://securityheaders.com/ and analyse cloud.georgemovila.com it’s saying:

Missing Headers

|X-Frame-Options|[X-Frame-Options] tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value “x-frame-options: SAMEORIGIN”.|

and i have the warning in my nextcloud instalation and if i do the same test on https://securityheaders.com/ using https://cloud.georgemovila.com it’s okay but the error it’s still present

i tried also this command :

curl -I https://georgemovila.com

HTTP/1.1 200 OK
Date: Wed, 03 Oct 2018 08:14:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dc071586230852132216e02346f6250851538554489; expires=Thu, 03-Oct-19 08:14:49 GMT; path=/; domain=.georgemovila.com; HttpOnly; Secure
Strict-Transport-Security: max-age=0; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN

Which version of Nextcloud?

i have just instaled the latest version downloaded from nextcloud.com

Which webserver do you use and which PHP version?

i’m using : # httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59

php -v

PHP 7.1.21 (cli) (built: Aug 25 2018 14:37:09) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.1.21, Copyright © 1999-2018, by Zend Technologies

I ran the test and X-Frame-Options SAMEORIGIN is active! But nextcloud keeps going me wrong

Php 7.2.8

same story here

Are you behind a firewall or proxy?

then do a grep in the webroot of your installation:

grep -R SAMEORIGIN *

and open

~/core/doc/admin/_sources/release_notes.txt

i have this output :

grep -R SAMEORIGIN /var/www/html/cloud.georgemovila.com/

/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: msg: ‘The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/setupchecks.js: ‘X-Frame-Options’: [‘SAMEORIGIN’, ‘DENY’],
/var/www/html/cloud.georgemovila.com/core/doc/admin/_sources/release_notes.txt: add_header X-Frame-Options "SAMEORIGIN";
/var/www/html/cloud.georgemovila.com/core/doc/admin/_sources/configuration_server/harden_server.txt:- X-Frame-Options: SAMEORIGIN
/var/www/html/cloud.georgemovila.com/core/doc/admin/release_notes.html:add_header X-Frame-Options “SAMEORIGIN”;
/var/www/html/cloud.georgemovila.com/core/doc/admin/configuration_server/harden_server.html:

X-Frame-Options: SAMEORIGIN

/var/www/html/cloud.georgemovila.com/lib/private/legacy/response.php: header(‘X-Frame-Options: SAMEORIGIN’); // Disallow iFraming from other domains
1 Like

This is what Google Chrome is telling about your http headers (by pressing F12):

Perhaps Cloudflare is the problem?

and what should i do because of this ?

I do not think so, because I do not use cloudflare, nextcloud is hosted on a shared hosting

As you can see in the screenshot above, the X-Frame-Options header is set twice, 1x from .htaccess and 1x from PHP. Obviously ~/lib/private/legacy/response.php is doing it.

I would contact Cloudflare support.

I will try contact them today, but don’t know what to ask them .