X-Frame Messages

Hi,

I have installed Nextcloud on a Centos distro with SSL and all. But I’m still running into one thing I can’t seem to get solved.

I’m getting these two warnings:

The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.

So I decided to try and solve them, going through other threads posted here and on the owncloud forums.
According to these thread I need to disable this in httpd.conf of the webserver.

But, when I search in httpd.conf I cannot find any headers being set. Nor in the configfiles for the vhosts.

When using curl to see what is being set, I see the following:

HTTP/1.1 302 Found
Date: Mon, 27 Mar 2017 12:44:40 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e PHP/7.0.16
X-Frame-Options: DENY
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Content-Type-Options: nosniff
X-Powered-By: PHP/7.0.16
Set-Cookie: oc3ksdyyuucx=qva9ae9r4egdhp3l6e42s9a6s6; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=U1FVRp485U7gxgs7Mtk1nboWBHL3x%2FW3hd3ihde2CKGL1e%2B5CqTVezzPL1lq8zx9fOzSkZ6XxFlTTQz6d8NCtKpR4%2BjiJ9OL563UUAlUD0fstG8iuowGpHoCm5SAcATy; path=/; secure; HttpOnly
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-ZmlOcm5TNXF5bFZGOHRhb2lrT1ZHbkFBWXRjMnIySmhPcXFjWUZCQmV3VT06Q2xRWTgwSUdraDBYbjVqdjhoZldmd0JoQnFVQzVsY3RjOExOTnhWelBrWT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Location: https://nc.domain.com/index.php/login
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Type: text/html; charset=UTF-8

So, you see X-Frame-Options is set to DENY. But a little further is being set again to SAMEORIGIN.
The same goes for X-Content-Type-Options, but is being set twice for the same value.
What is also interesting is the expiration date of the cookies…

When commenting out the .htaccess header for X-Frame-options and X-Content-Type-Options the second headers form the output above are not set anymore.

Still I cannot find the first two settings… Not in the /etc/httpd/conf/httpd.conf, nor in /etc/httpd/sites-available.
Can someone please point me in the right direction?

Setup:
Apache/2.4.6 (CentOS)
OpenSSL/1.0.1e
PHP/7.0.16

Hi,

they are in the .htaccess files in your nextcloud installation folder. Using apache you can leave it to the .htaccess files and remove/ comment any configuration in /etc/apache2/* files.

Thats percisely the problem. I know these are also set in .htaccess. But unfortunately I cannot find any reference of setting headers in the apache config directory. In my case /etc/httpd/. I’m not using a debain distro, but centos.

Sorry, I read too quickly. I fear I can’t help then.
The only things I found are:

and:

Could the latter be a hint for some misconfiguration of your headers using too strict configuration?

This post here sounds interesting, but there was no further reply:

You don’t use a proxy, do you?

No. I’m not using proxy.
I’m now going through the second link.
I’ll keep you posted.

[update 1]
This post seems to help:

I’ve change Header set to Header always set for the two X-Content-Type-Options and X-Frame-Options in .htaccess. Error messages are gone now. I know this is not preferable, but I’m the only one using this instance of NC.

I still do not know where the DENY option is coming from.

Glad this helped for now.
Do you run a physical machine at home or is it a rented server on the Internet? Just asking because I read that providers might influence the headers to secure their customers.

What about a grep for “DENY” across all files? If the Scalpel doesn’t help, the big cannon could :smiley:
grep -R "DENY" /*

Sorry for just throwing stuff at you, I have no clue and while nobody else is assisting so far I’m just trying to give you some ideas where to look for problems.

I have a little home centos box.
So I ran the command, but not on /, grep exhausted memory and quit early. Instead I ran it on /etc.

It came back with a hit:

[root@centos /]# grep -R "DENY" /etc/*
/etc/letsencrypt/options-ssl-apache.conf:Header always set X-Frame-Options DENY

It looks like Let’s Encrypt (should have mentioned this) has it’s own basic configfile apart from the standard /etc/httpd config directory.

And lo and behold:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

So I commented it out for the latter two and revert the .htaccess back to it’s original value.

Yeah!

Security & setup warnings
All checks passed.

Hope other people find this helpful.

I just want to thank you so much for providing this code “grep -R “DENY” /etc/*”. with it I could find where my problem was.
I had the X-Frame-Option problem for as long as I remember. You are the first person who could help me with this problem.
Thank you very much.

Not all of us are natural Linux gurus, and most people don’t get that.

Hey @martva,
Thank you for posting your solution. Your grep was a really helpful idea!
Regards.

I fixed these header errors on my Nextcloud 17 installation by using: Header always set… (vs. Header set…)