Nextcloud version (eg, 12.0.2): 15.0.1
Operating system and version (eg, Ubuntu 17.04): RHEL 7.6
Apache or nginx version (eg, Apache 2.4.25): 2.4.6
PHP version (eg, 7.1): 7.3.2
The issue you are facing:
I keep seeing these warnings about HTTP headers -
There are some warnings regarding your setup.
The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the W3C Recommendation ↗.
However, if I use curl to look at the http headers, I see that they are indeed set. The only place I have set these headers is in my apache config file.
Curl output -
curl -v https://test.localsite.tld/nextcloud
* Trying <ip address>...
* TCP_NODELAY set
* Connected to test.localsite.tld (<ip address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=test.localsite.tld
* start date: Jan 23 01:32:01 2019 GMT
* expire date: Apr 23 01:32:01 2019 GMT
* subjectAltName: host "test.localsite.tld" matched cert's "test.localsite.tld"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET /nextcloud HTTP/1.1
> Host: test.localsite.tld
> User-Agent: curl/7.61.1
> Accept: */*
>
< Date: Wed, 27 Feb 2019 02:07:48 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000; includeSubdomains
< Location: https://test.localsite.tld/nextcloud/
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< X-Robots-Tag: none
< X-Permitted-Cross-Domain-Policies: none
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
Is this the first time you’ve seen this error? (Y/N): Yes
I do not remember seeing this before but this seems to have propped up now. Any ideas on how I can get this fixed?
Thanks.