X-Download-Options NC24 Ubuntu 22.04

Nextcloud version: 24.0.0
Operating system and version : Ubuntu 22.04
Apache version : 2.4.52
PHP version: 8.1.2

Hello,

Since Ubuntu 22.04 and NC24 I do not reach A+ on security scan, I get an A.
This is due to X-Download-Options:

*X-Download-Options *

The X-Download-Options response header instructs Internet Explorer not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks.

How can I set this option on Apache2?
I found the solution for Nginx but nothing for Apache2.

I solved the issue and get back my A+ score.

The line for X-Download-Options was missing in my htaccess file, refer to link below.
I add the lines related to X-Download-Options in my htaccess located as following:

/var/www/nextcloud/.htaccess

2 Likes

Hey there, I am having the same issue. I found the .htaccess file but I do not understand how to edit it exactly as described by zertin.
There are many lines called like “Header onsuccess unset […]”.
I just don’t get it right know.
Could you please help me out very quick?
Thank you very much (:

That is my .htaccess file in /var/www/nextcloud/.htaccess

IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUT>
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTH>
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" tab>
    # then add headers to "always" table: https://github.com/nextcl>
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)(\?v=.*)?$>
    Header set Cache-Control "max-age=15778463, immutable"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

# PHP 7.x
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

# PHP 8+
<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddType application/wasm wasm
  AddEncoding gzip svgz
</IfModule>

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>

<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUT>
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTH>
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" tab>
    # then add headers to "always" table: https://github.com/nextcl>
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)(\?v=.*)?$>
    Header set Cache-Control "max-age=15778463, immutable"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

# PHP 7.x
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

# PHP 8+
<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddType application/wasm wasm
  AddEncoding gzip svgz
</IfModule>

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>

<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  GNU nano 5.4        /var/www/nextcloud/.htaccess
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [>
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /inde>
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|con>
</IfModule>

AddDefaultCharset utf-8
Options -Indexes
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|w>
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update\.php
  RewriteCond %{REQUEST_FILENAME} !/core/img/(favicon\.ico|manifest>
  RewriteCond %{REQUEST_FILENAME} !/(cron|public|remote|status)\.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v(1|2)\.php
  RewriteCond %{REQUEST_FILENAME} !/robots\.txt
  RewriteCond %{REQUEST_FILENAME} !/(ocm-provider|ocs-provider|upda>
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-va>
  RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/prox>
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

Your htaccess also miss X-Download-Options between X-Content and X-Frame so add the two following lines in-between.

Header onsuccess unset X-Download-Options
Header always set X-Download-Options “noopen”

3 Likes

Awesome :fire: , that worked, thanks a lot :pray:

1 Like

How long did it take for the security scan to show that this header option was added and upgrade rating to A+? I’ve made the change and restarting apache, but it still show A with that option missing.

you manually re-trigger a scan:

Hello, im running NC in a freebsd jail using apache as webserver and nginx as reverse proxy,
I followed the solution by adding those 2 linees of code into .htaccess but unfortunately security check still complain for x-download-options.
i restart apache and i retriggered the verification check, but warning still present

In case this helps anyone: I copy/pasted the lines above and, although they look fine in the editor, there was an encoding problem that prevented “noopen” from rendering correctly. Typing is better than copy/paste and restored A+ rating.

Just few minutes

You maybe have to add this option in nginx condiguration file .conf (/etc/nginx/conf.d/)

Check that the following option is present

add_header X-Download-Options noopen;

Thanks @thierry333 :+1:

Just for the noobies like me: When I copy the lines from @thierry333 in the terminal then I receive for the second line:

 Header always set X-Download-Options `^`^|noopen ^`^`}

instead of

 Header always set X-Download-Options "noopen"

Therefore, here the clean copy-paste version:

 Header onsuccess unset X-Download-Options
 Header always set X-Download-Options "noopen"
1 Like

hello this is my nginx reverse proxy nc related part

location / {
add_header Strict-Transport-Security “max-age=15552000; includeSubDomains” always;
proxy_ssl_verify off;
proxy_pass http://10.0.0.48;
# set proper x-forwarded-headers
proxy_set_header ‘X-Forwarded-Host’ nextcloud.xxxx.com;
proxy_set_header ‘X-Forwarded-Proto’ https;
proxy_set_header ‘X-Download-Options’ noopen;
proxy_set_header Host $host;

this is the relevant part of my .htaccess file

Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options “nosniff”

Header onsuccess unset X-Download-Options
Header always set X-Download-Options “noopen”

Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"

if that can help i’m running nginx reverse proxy on a linux server
and NC from a truenas freebsd jail using php81

The " seems different on X-Download-Options, just try to copy " from X-Frame for exemple. It is ptobably not the issue but let’s try

1 Like

i confirm was the " character tha was wrong. Working nicely right now
unfortunately i have just that on my italian keyboard they seems to be more inclinated …
i’m thinking how solve that
because it will be difficult to enter any part of code by typing… i just have to copy paste… and i don’t like that

1 Like

I wouldn’t add it since it was removed by NC dev X-Download-Options is only used in Internet Explorer and no one at this point should be using IE. Please see below link