X-Frame Messages

Hi,

I have installed Nextcloud on a Centos distro with SSL and all. But I’m still running into one thing I can’t seem to get solved.

I’m getting these two warnings:

The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.

So I decided to try and solve them, going through other threads posted here and on the owncloud forums.
According to these thread I need to disable this in httpd.conf of the webserver.

But, when I search in httpd.conf I cannot find any headers being set. Nor in the configfiles for the vhosts.

When using curl to see what is being set, I see the following:

HTTP/1.1 302 Found
Date: Mon, 27 Mar 2017 12:44:40 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e PHP/7.0.16
X-Frame-Options: DENY
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Content-Type-Options: nosniff
X-Powered-By: PHP/7.0.16
Set-Cookie: oc3ksdyyuucx=qva9ae9r4egdhp3l6e42s9a6s6; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=U1FVRp485U7gxgs7Mtk1nboWBHL3x%2FW3hd3ihde2CKGL1e%2B5CqTVezzPL1lq8zx9fOzSkZ6XxFlTTQz6d8NCtKpR4%2BjiJ9OL563UUAlUD0fstG8iuowGpHoCm5SAcATy; path=/; secure; HttpOnly
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-ZmlOcm5TNXF5bFZGOHRhb2lrT1ZHbkFBWXRjMnIySmhPcXFjWUZCQmV3VT06Q2xRWTgwSUdraDBYbjVqdjhoZldmd0JoQnFVQzVsY3RjOExOTnhWelBrWT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Location: https://nc.domain.com/index.php/login
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Type: text/html; charset=UTF-8

So, you see X-Frame-Options is set to DENY. But a little further is being set again to SAMEORIGIN.
The same goes for X-Content-Type-Options, but is being set twice for the same value.
What is also interesting is the expiration date of the cookies…

When commenting out the .htaccess header for X-Frame-options and X-Content-Type-Options the second headers form the output above are not set anymore.

Still I cannot find the first two settings… Not in the /etc/httpd/conf/httpd.conf, nor in /etc/httpd/sites-available.
Can someone please point me in the right direction?

Setup:
Apache/2.4.6 (CentOS)
OpenSSL/1.0.1e
PHP/7.0.16

1 Like

Hi,

they are in the .htaccess files in your nextcloud installation folder. Using apache you can leave it to the .htaccess files and remove/ comment any configuration in /etc/apache2/* files.

Thats percisely the problem. I know these are also set in .htaccess. But unfortunately I cannot find any reference of setting headers in the apache config directory. In my case /etc/httpd/. I’m not using a debain distro, but centos.

Sorry, I read too quickly. I fear I can’t help then.
The only things I found are:

and:

Could the latter be a hint for some misconfiguration of your headers using too strict configuration?

This post here sounds interesting, but there was no further reply:

You don’t use a proxy, do you?

No. I’m not using proxy.
I’m now going through the second link.
I’ll keep you posted.

[update 1]
This post seems to help:

I’ve change Header set to Header always set for the two X-Content-Type-Options and X-Frame-Options in .htaccess. Error messages are gone now. I know this is not preferable, but I’m the only one using this instance of NC.

I still do not know where the DENY option is coming from.

Glad this helped for now.
Do you run a physical machine at home or is it a rented server on the Internet? Just asking because I read that providers might influence the headers to secure their customers.

What about a grep for “DENY” across all files? If the Scalpel doesn’t help, the big cannon could :smiley:
grep -R "DENY" /*

Sorry for just throwing stuff at you, I have no clue and while nobody else is assisting so far I’m just trying to give you some ideas where to look for problems.

I have a little home centos box.
So I ran the command, but not on /, grep exhausted memory and quit early. Instead I ran it on /etc.

It came back with a hit:

[root@centos /]# grep -R "DENY" /etc/*
/etc/letsencrypt/options-ssl-apache.conf:Header always set X-Frame-Options DENY

It looks like Let’s Encrypt (should have mentioned this) has it’s own basic configfile apart from the standard /etc/httpd config directory.

And lo and behold:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

So I commented it out for the latter two and revert the .htaccess back to it’s original value.

Yeah!

Security & setup warnings
All checks passed.

Hope other people find this helpful.

3 Likes

I just want to thank you so much for providing this code “grep -R “DENY” /etc/*”. with it I could find where my problem was.
I had the X-Frame-Option problem for as long as I remember. You are the first person who could help me with this problem.
Thank you very much.

Not all of us are natural Linux gurus, and most people don’t get that.

1 Like

Hey @martva,
Thank you for posting your solution. Your grep was a really helpful idea!
Regards.

I fixed these header errors on my Nextcloud 17 installation by using: Header always set… (vs. Header set…)