The "SAMEORIGIN" warning does not go away!

But maybe your hoster does?

1 Like

no, I asked technical support

I would send them the screenshot above and ask why the headers behind the CDN are not recognized by Nextcloud.

Which CDN or reverse proxy do they use?

I have not asked, surely it will be their private security system, they are a very large company

If you are using nginx then remove it:
https://docs.nextcloud.com/server/12/admin_manual/release_notes.html

1 Like

my hosting uses apache :sob:
I can not understand why this warning! It comforts me that it actually works

I have a similar situation, but self hosted. .htaccess includes the header line and my server config does it, too. So the server sets the header twice and I see the warning. I deleted it from .htaccess, because the server config is used for several subdomains and I do not want to have different configs for different subdomains.
I do not know if a double header line is a security risk. If not, and if your hoster cannot fix it, just ignore it …

1 Like

Hi All,
After reading so many posts her and there… What finally worked for me was to realize and make sure that there is only one “version” of sameorigin or SAME ORIGIN or noreferrer/and variations or strict origin/and variations in all your .htaccess and .conf (nextcloud-ssl.conf or any name you gave it). In my case I left only this:
Header always set Referrer-Policy “strict-origin-when-cross-origin”
In my nextcloud-le-ssl.conf under the /etc/apache2/sites-enabled directory.
Hope this help all of you.
Fernando

I had the same problem, you need to comment out the following from /etc/httpd/conf.d/ssl.conf
from
Header always set X-Frame-Options DENY
to
#Header always set X-Frame-Options DENY

for me it was changing the line:

Header always set X-Frame-Options DENY

to

# Header always set X-Frame-Options DENY

in

/etc/apache2/conf-enabled/ssl-params.conf

You guys can refer to /core/doc/admin/_sources/installation/nginx.rst.txt.
So change the line:
add_header X-Frame-Options “SAMEORIGIN” ;
to:
add_header X-Frame-Options “SAMEORIGIN” always;
in Nginx/site-cons/default

Nevertheless, scan.nextcloud.com shows a warning:

X-Frame-Options

The X-Frame-Options response header indicates whether a page can be iframed by other pages. An incorrect setting may allow so called “Clickjacking” attacks.

So, what can or should or must I do to avoid that warning?

[NC 17.0.0, PHP 7.3.11, NGINX 1.10.3, Raspbian 9.0]

As a layman linux user this thread is confusing beyond all belief.

I updated my self hosted NC server to 17 and got the warning about same origin and came upon this thread in attempt to make it go away, however to me in my case it seems it’s NC not setting and not detecting the header properly.

Removing the SAMEORIGIN from /etc/nginx/header.conf and /var/www/nextcloud/.htaccess (only files that contained string SAMEORIGIN) causes the header not being set at all, nextcloud warns about it and the NC security scan shows the header as missing.

The only way I am able to set this header is to include add_header X-Frame-Options “SAMEORIGIN” always; in /etc/nginx/header.conf and keep it commented out in .htaccess, in which case both nextcloud overview page and nextcloud security scan page still claim the header is missing however the header is being set as proven by this picture: https://turbomrak.ddns.net/s/oD279BmCeZtGiK4

So now I’m not really sure what’s going on, but I’m inclined to believe my own eyes over the documentation in this case, because if I do what the release notes say, the header is not set…

For nginx there is already a pull request for the documentation. See here: https://github.com/nextcloud/documentation/pull/1630