Warnings on Security & setup warnings

I’m having trouble with “Security & setup warnings”. I get the following warning when I write an X header to nginx.

There are some warnings regarding your setup.
The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

Checking by Nextcloud security scan.

Result is “A”. However, the Setup section states the following

  • NO - X-Frame-Options
  • NO - X-Content-Type-Options
  • NO - X-XSS-Protection
  • PASS - X-Download-Options
  • NO - X-Permitted-Cross-Domain-Policies

→ NO is an X and PASS is a check mark. If the pass is only “X-Download-Options”, I would question an A grade decision on that.

Next I verified with the Mozilla Observatory.

I added the X header to nginx to verify and the result was “B”.
The following are the items noted

  • Content Security Policy (CSP) header not implemented
  • Cookies Prefixed
  • *The X header I added is itself recognized.

So the X header is recognized by the two sites(Nextcloud / Moziila), so is the warnings in “Security & setup warnings” wrong?

I can add the X header and run “curl -i URL” and it will output the X header, or not if I don’t add it.

How can I fix this crazy state?

I check the response headers in the browser’s developer tools and an X headers are returned.

I don’t understand this either.
image

My first guess was the headers (check) is case sensitive - but it’s not the case, my headers are lower-case as well and I have no warnings and A+ Nextcloud security scan result.

image

I see you all your headers doubled. This may or may not be an issue, please review.

if you had provide us with the support form, we would have known what was your server conf, but…

So, guessing with the help of my chrystall ball what you might use apache… could be a misconfiguration, but as you get A+, maybee not.

So next on the list is /var/www/… …/.htaccess
Should be looking something like that depending on your system

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)(\?v=.*)?$">
    Header set Cache-Control "max-age=15778463, immutable"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>


# PHP 8+
<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddType application/wasm wasm
  AddEncoding gzip svgz
</IfModule>

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>

<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

AddDefaultCharset utf-8
Options -Indexes
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //

1 Like

I see you all your headers doubled. This may or may not be an issue, please review.

I too have not been able to figure out why each of these headers are duplicated showing two lines each. There is a switch in the Firefox developer tools called “raw header” and when I turn it on, each header is one at a time.

I have NC’s .htaccess permissions set to inaccessible, but those headers show duplicates. If the headers are removed, of course the X headers will not appear on the security check sites.

I still found the problem in nginx.conf. First, reduce nginx.conf to the minimum configuration to run the site. Then create test.html and check the headers. Then, of course, the X headers are not set.

Then I checked by appending only the X header to nginx.conf and each one was set correctly. Developer tools and on the verification site. Next, I create nginx.conf as described on the official site.
https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

I configured nginx.conf by adding parts step by step. ~~It seems that the only way to make each X header display independently is to put only the X header in nginx.conf. ~~
After all, adding the X headers will duplicate the NC in the open browser, and removing the X headers will eliminate the headers.

Just removing the X headers from nginx.conf on the above site will set the X header in the browser. Which setting is making the browser recognize it twice?

Do you have this line in the Nextcloud php location block of your nginx configuration?

fastcgi_param modHeadersAvailable true;

Yes, I’m adding it.

curl -i https://MY-NEXTCLOUD/index.html

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 21 Sep 2022 03:39:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 156
Last-Modified: Thu, 08 Sep 2022 10:32:53 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "6319c4d5-9c"
Strict-Transport-Security: max-age=15768000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'XXX';
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<script> window.location.href="index.php"; </script>
<meta http-equiv="refresh" content="0; URL=index.php">
</head>
</html>

curl -i https://MY-NEXTCLOUD/index.php

HTTP/1.1 302 Found
Server: nginx
Date: Wed, 21 Sep 2022 03:40:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=XXX; path=/; secure; HttpOnly; ameSite=Lax
Set-Cookie: ocSERIAL=YYY; path=/; secure; HttpOnly; SameSite=Lax
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-ZZZ'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Location: https://MY-NEXTCLOUD/index.php/login
Strict-Transport-Security: max-age=15768000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'XXX';

Checking with the curl command, index.html seems to read the X headers only once and *****.php twice.

Is this similar to this issue on Github?