The "SAMEORIGIN" warning does not go away!

and what should i do because of this ?

I do not think so, because I do not use cloudflare, nextcloud is hosted on a shared hosting

As you can see in the screenshot above, the X-Frame-Options header is set twice, 1x from .htaccess and 1x from PHP. Obviously ~/lib/private/legacy/response.php is doing it.

I would contact Cloudflare support.

I will try contact them today, but don’t know what to ask them .

But maybe your hoster does?

1 Like

no, I asked technical support

I would send them the screenshot above and ask why the headers behind the CDN are not recognized by Nextcloud.

Which CDN or reverse proxy do they use?

I have not asked, surely it will be their private security system, they are a very large company

If you are using nginx then remove it:

1 Like

my hosting uses apache :sob:
I can not understand why this warning! It comforts me that it actually works

I have a similar situation, but self hosted. .htaccess includes the header line and my server config does it, too. So the server sets the header twice and I see the warning. I deleted it from .htaccess, because the server config is used for several subdomains and I do not want to have different configs for different subdomains.
I do not know if a double header line is a security risk. If not, and if your hoster cannot fix it, just ignore it …

1 Like

Hi All,
After reading so many posts her and there… What finally worked for me was to realize and make sure that there is only one “version” of sameorigin or SAME ORIGIN or noreferrer/and variations or strict origin/and variations in all your .htaccess and .conf (nextcloud-ssl.conf or any name you gave it). In my case I left only this:
Header always set Referrer-Policy “strict-origin-when-cross-origin”
In my nextcloud-le-ssl.conf under the /etc/apache2/sites-enabled directory.
Hope this help all of you.

I had the same problem, you need to comment out the following from /etc/httpd/conf.d/ssl.conf
Header always set X-Frame-Options DENY
#Header always set X-Frame-Options DENY

for me it was changing the line:

Header always set X-Frame-Options DENY


# Header always set X-Frame-Options DENY



You guys can refer to /core/doc/admin/_sources/installation/nginx.rst.txt.
So change the line:
add_header X-Frame-Options “SAMEORIGIN” ;
add_header X-Frame-Options “SAMEORIGIN” always;
in Nginx/site-cons/default

Nevertheless, shows a warning:


The X-Frame-Options response header indicates whether a page can be iframed by other pages. An incorrect setting may allow so called “Clickjacking” attacks.

So, what can or should or must I do to avoid that warning?

[NC 17.0.0, PHP 7.3.11, NGINX 1.10.3, Raspbian 9.0]

As a layman linux user this thread is confusing beyond all belief.

I updated my self hosted NC server to 17 and got the warning about same origin and came upon this thread in attempt to make it go away, however to me in my case it seems it’s NC not setting and not detecting the header properly.

Removing the SAMEORIGIN from /etc/nginx/header.conf and /var/www/nextcloud/.htaccess (only files that contained string SAMEORIGIN) causes the header not being set at all, nextcloud warns about it and the NC security scan shows the header as missing.

The only way I am able to set this header is to include add_header X-Frame-Options “SAMEORIGIN” always; in /etc/nginx/header.conf and keep it commented out in .htaccess, in which case both nextcloud overview page and nextcloud security scan page still claim the header is missing however the header is being set as proven by this picture:

So now I’m not really sure what’s going on, but I’m inclined to believe my own eyes over the documentation in this case, because if I do what the release notes say, the header is not set…

1 Like

For nginx there is already a pull request for the documentation. See here:

I lost a lot of time to solve using apache2
I discovered that in /www/nextcloud/.htaccess there are already these lines:
Header always set X-content-Type-Options “nosniff”
Header always set X-Frame-Options “SAMEORIGIN”
for the SAMEORIGIN LINE I deleted always and wrote:
Header set X-Frame-Options “SAMEORIGIN”

with the same line also in /www/.htaccess

no more warning!!! I lost security???

I use this solution for my NC18 with nginx, and the warning gone.

Thank you hugalafutro, Terimakasih.