Hi, after the update to nextcloud the following configuration message appeared:
The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN”. This is a potential security or privacy risk, and we recommend changing this setting.
To solve the security bug I added the following string in the .htaccess file:
Header always append X-Frame-Options SAMEORIGIN
As you can see in the screenshot above, the X-Frame-Options header is set twice, 1x from .htaccess and 1x from PHP. Obviously ~/lib/private/legacy/response.php is doing it.
I have a similar situation, but self hosted. .htaccess includes the header line and my server config does it, too. So the server sets the header twice and I see the warning. I deleted it from .htaccess, because the server config is used for several subdomains and I do not want to have different configs for different subdomains.
I do not know if a double header line is a security risk. If not, and if your hoster cannot fix it, just ignore it …
Hi All,
After reading so many posts her and there… What finally worked for me was to realize and make sure that there is only one “version” of sameorigin or SAME ORIGIN or noreferrer/and variations or strict origin/and variations in all your .htaccess and .conf (nextcloud-ssl.conf or any name you gave it). In my case I left only this:
Header always set Referrer-Policy “strict-origin-when-cross-origin”
In my nextcloud-le-ssl.conf under the /etc/apache2/sites-enabled directory.
Hope this help all of you.
Fernando
I had the same problem, you need to comment out the following from /etc/httpd/conf.d/ssl.conf
from
Header always set X-Frame-Options DENY
to #Header always set X-Frame-Options DENY