This is what Google Chrome is telling about your http headers (by pressing F12):
Perhaps Cloudflare is the problem?
I do not think so, because I do not use cloudflare, nextcloud is hosted on a shared hosting
As you can see in the screenshot above, the X-Frame-Options header is set twice, 1x from .htaccess and 1x from PHP. Obviously ~/lib/private/legacy/response.php is doing it.
I would contact Cloudflare support.
But maybe your hoster does?
1 Like
no, I asked technical support
I would send them the screenshot above and ask why the headers behind the CDN are not recognized by Nextcloud.
Which CDN or reverse proxy do they use?
I have not asked, surely it will be their private security system, they are a very large company
If you are using nginx then remove it:
https://docs.nextcloud.com/server/12/admin_manual/release_notes.html
1 Like
my hosting uses apache 
I can not understand why this warning! It comforts me that it actually works
I have a similar situation, but self hosted. .htaccess includes the header line and my server config does it, too. So the server sets the header twice and I see the warning. I deleted it from .htaccess, because the server config is used for several subdomains and I do not want to have different configs for different subdomains.
I do not know if a double header line is a security risk. If not, and if your hoster cannot fix it, just ignore it …
1 Like
Hi All,
After reading so many posts her and there… What finally worked for me was to realize and make sure that there is only one “version” of sameorigin or SAME ORIGIN or noreferrer/and variations or strict origin/and variations in all your .htaccess and .conf (nextcloud-ssl.conf or any name you gave it). In my case I left only this:
Header always set Referrer-Policy “strict-origin-when-cross-origin”
In my nextcloud-le-ssl.conf under the /etc/apache2/sites-enabled directory.
Hope this help all of you.
Fernando
I had the same problem, you need to comment out the following from /etc/httpd/conf.d/ssl.conf
from
Header always set X-Frame-Options DENY
to
#Header always set X-Frame-Options DENY
for me it was changing the line:
Header always set X-Frame-Options DENY
to
# Header always set X-Frame-Options DENY
in
/etc/apache2/conf-enabled/ssl-params.conf
1 Like
You guys can refer to /core/doc/admin/_sources/installation/nginx.rst.txt.
So change the line:
add_header X-Frame-Options “SAMEORIGIN” ;
to:
add_header X-Frame-Options “SAMEORIGIN” always;
in Nginx/site-cons/default
Nevertheless, scan.nextcloud.com shows a warning:
X-Frame-Options
The X-Frame-Options response header indicates whether a page can be iframed by other pages. An incorrect setting may allow so called “Clickjacking” attacks.
So, what can or should or must I do to avoid that warning?
[NC 17.0.0, PHP 7.3.11, NGINX 1.10.3, Raspbian 9.0]
As a layman linux user this thread is confusing beyond all belief.
I updated my self hosted NC server to 17 and got the warning about same origin and came upon this thread in attempt to make it go away, however to me in my case it seems it’s NC not setting and not detecting the header properly.
Removing the SAMEORIGIN from /etc/nginx/header.conf and /var/www/nextcloud/.htaccess (only files that contained string SAMEORIGIN) causes the header not being set at all, nextcloud warns about it and the NC security scan shows the header as missing.
The only way I am able to set this header is to include add_header X-Frame-Options “SAMEORIGIN” always; in /etc/nginx/header.conf and keep it commented out in .htaccess, in which case both nextcloud overview page and nextcloud security scan page still claim the header is missing however the header is being set as proven by this picture: https://turbomrak.ddns.net/s/oD279BmCeZtGiK4
So now I’m not really sure what’s going on, but I’m inclined to believe my own eyes over the documentation in this case, because if I do what the release notes say, the header is not set…
1 Like
For nginx there is already a pull request for the documentation. See here: https://github.com/nextcloud/documentation/pull/1630
I lost a lot of time to solve using apache2
I discovered that in /www/nextcloud/.htaccess there are already these lines:
………
Header always set X-content-Type-Options “nosniff”
…….
Header always set X-Frame-Options “SAMEORIGIN”
………
for the SAMEORIGIN LINE I deleted always and wrote:
Header set X-Frame-Options “SAMEORIGIN”
with the same line also in /www/.htaccess
no more warning!!! I lost security???
I use this solution for my NC18 with nginx, and the warning gone.
Thank you hugalafutro, Terimakasih.
There doesn’t seem to be a resolution to this issue I can find so I’m posting to this topic:
After a recent update to version 20.0.7 I am now also seeing the same warning. Previous to this I had no issues with an A+ rating on the security scan (https://scan.nextcloud.com/). I can only presume that this a bug somewhere.
https://securityheaders.com/ shows x-frame-options set correctly.
I am still finding my way so would would appreciate any assistance.
Actions taken
Following findings (detailed below), SAMEORIGIN appears to be set in two files in webroot.
Commenting out the line from OC_Responses.php yields no changes.
Commenting out the line from .haccess will remove the x-frame-options from devtools (firefox) however still passes securityheaders.com test which is strange.
I may be wrong, however z-frame-options appears to be set twice however only .htaccess appears to change behavior so I can only conclude that the …/legacy/OC_Response.php has been deprecated or is no longer used?
If this is the case then x-frame-options is set only once and the error is being incorrectly reported?
Any assistance would be appreciated.
Further details below:
I am running nextcloud on TrueNas 12 in an iocage jail. Jail version is up to date.
Nextcloud version 20.0.7 (stable - current version as of today):
$ httpd -v
Server version: Apache/2.4.46 (FreeBSD)
Server built: unknown
$ php -v
PHP 7.4.15 (cli) (built: Feb 6 2021 01:13:03) ( NTS )
...
Using devtools (firefox) I can see that the x-frame-options: SAMEORIGIN is set once (I am access the site via public url).
grep -r SAMEORIGIN * from the webroot yields two relevant entries:
nextcloud/.htaccess: Header always set X-Frame-Options "SAMEORIGIN"
netxtcloud/lib/private/legacy/OC_Response.php: header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
All entries are as follows:
nextcloud/.htaccess: Header always set X-Frame-Options "SAMEORIGIN"
nextcloud/core/doc/admin/installation/harden_server.html:<dt><code class="docutils literal notranslate"><span class="pre">X-Frame-Options:</span> <span class="pre">SAMEORIGIN</span></code></dt><dd><ul>
nextcloud/core/doc/admin/installation/nginx.html: <span class="kn">add_header</span> <span class="s">X-Frame-Options</span> <span class="s">"SAMEORIGIN"</span> <span class="s">always</span><span class="p">;</span>
nextcloud/core/doc/admin/installation/nginx.html: <span class="kn">add_header</span> <span class="s">X-Frame-Options</span> <span class="s">"SAMEORIGIN"</span> <span class="s">always</span><span class="p">;</span>
nextcloud/core/doc/admin/_sources/installation/nginx.rst.txt: add_header X-Frame-Options "SAMEORIGIN" always;
nextcloud/core/doc/admin/_sources/installation/nginx.rst.txt: add_header X-Frame-Options "SAMEORIGIN" always;
nextcloud/core/doc/admin/_sources/installation/harden_server.rst.txt:- ``X-Frame-Options: SAMEORIGIN``
nextcloud/core/js/setupchecks.js: 'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
nextcloud/core/js/tests/specs/setupchecksSpec.js: msg: 'The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/core/js/tests/specs/setupchecksSpec.js: 'X-Frame-Options': 'SAMEORIGIN',
nextcloud/lib/private/legacy/OC_Response.php: header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains