The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow"

I just updated my Nextcloud installation to 26.0 and got the error “The “X-Robots-Tag” HTTP header is not set to “noindex, nofollow”.”

I solved it by amending/adding this line in nextcloud/config/nginx/site-confs/default.conf:

add_header X-Robots-Tag “noindex, nofollow” always;

I have Nextcloud running in docker using the linuxserver images.

I’ve posted this info here because yesterday I spent rather a long time trying to find a solution and couldn’t. Hoping it will help someone.

3 Likes

This was yesterday already diskussed here:

2 Likes

Hello and thank you for sharing your experience.

My instance has an identical warning but I am unable to fix it.
It’s hosted on Truenas in jail environment. I edited an nginx config that is responsible for my instance nextcloud.conf by adding the line that you have mentioned in the server section but the warning is still there.
Any suggestion?
Thank you.

1 Like

All I suggest is that you look for your site.confs folder and in there you should see a default.conf.

There should already be a add_header X-Robots-Tag line in there so you need to edit that rather than just adding another add_header X-Robots-Tag line.

Other than that I have no idea.

1 Like

We have the same problem and we also cannot solve the problem. if we test our server with curl we can see that the x-robots-tag is there.
[/details]

curl -v https://<url>

$ curl -v https://

  • Rebuilt URL to: https://
  • TCP_NODELAY set
  • port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, [no content] (0):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • start date: Mar 2 06:27:26 2023 GMT
  • expire date: May 31 06:27:25 2023 GMT
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • Using Stream ID: 1 (easy handle 0x55af4c34e6d0)
  • TLSv1.3 (OUT), TLS app data, [no content] (0):

GET / HTTP/2
Host:
User-Agent: curl/7.61.1
Accept: /

  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, [no content] (0):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
  • TLSv1.3 (OUT), TLS app data, [no content] (0):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
  • TLSv1.3 (IN), TLS app data, [no content] (0):
    < HTTP/2 302
    < server: nginx
    < date: Mon, 27 Mar 2023 14:57:40 GMT
    < content-type: text/html; charset=UTF-8
    < location: https:///login
    < set-cookie: oc_sessionPassphrase=4%2BY6mBPQJmt5ClRR8bQsza%2FnvbqVul21h6FuxEt2LJDOFYG91Ylr695NPSKYyIH2fGsed7VZ5xwlxd0h3%2FpEvMGJJ%2BBFLv7zypuRm%2F3HN6yfodX80id3WCgMLb8ke12I; path=/; secure; HttpOnly; SameSite=Lax
    < content-security-policy: default-src ‘self’; script-src ‘self’ ‘nonce-bllQQ3JWUlpCZ2l3dDh2N0lSdm9WUHpTM3EvNnpJTXVuZ0JaUm55WlRwST06NWZPMzNpVWpjRUtKMDZDaGRXcVBIYnJsdC8rTHVxaDd0V01BY2tyd0Rmbz0=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src ; object-src ‘none’; base-uri ‘self’;
    < set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
    < set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
    < set-cookie: ocinrae3olnk=p53ooh0otb0skj9q8posle6bqh; path=/; secure; HttpOnly; SameSite=Lax
    < expires: Thu, 19 Nov 1981 08:52:00 GMT
    < cache-control: no-store, no-cache, must-revalidate
    < pragma: no-cache
    < permissions-policy: geolocation=(self), fullscreen=

    < x-robots-tag: noindex, nofollow
    < referrer-policy: no-referrer
    < x-content-type-options: nosniff
    < x-download-options: noopen
    < x-frame-options: SAMEORIGIN
    < x-permitted-cross-domain-policies: none
    < x-xss-protection: 1; mode=block
    < x-robots-tag: noindex, nofollow
    < strict-transport-security: max-age=31622400; includeSubDomains; preload
    < front-end-https: on
    <

To keep discussion at one place I suggest to head over to „X-Robots-Tag“-HTTP-Header not configured with „noindex, nofollow“ since NC 26.0.0

and go on discussing there as I am gonna close this thread here, now.

a BIIIIG Thank you to @scgf for your effort and good work!

1 Like