Hi,
I have installed Nextcloud on a Centos distro with SSL and all. But Iām still running into one thing I canāt seem to get solved.
Iām getting these two warnings:
The āX-Content-Type-Optionsā HTTP header is not configured to equal to ānosniffā. This is a potential security or privacy risk and we recommend adjusting this setting.
The āX-Frame-Optionsā HTTP header is not configured to equal to āSAMEORIGINā. This is a potential security or privacy risk and we recommend adjusting this setting.
So I decided to try and solve them, going through other threads posted here and on the owncloud forums.
According to these thread I need to disable this in httpd.conf of the webserver.
But, when I search in httpd.conf I cannot find any headers being set. Nor in the configfiles for the vhosts.
When using curl to see what is being set, I see the following:
HTTP/1.1 302 Found
Date: Mon, 27 Mar 2017 12:44:40 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e PHP/7.0.16
X-Frame-Options: DENY
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Content-Type-Options: nosniff
X-Powered-By: PHP/7.0.16
Set-Cookie: oc3ksdyyuucx=qva9ae9r4egdhp3l6e42s9a6s6; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=U1FVRp485U7gxgs7Mtk1nboWBHL3x%2FW3hd3ihde2CKGL1e%2B5CqTVezzPL1lq8zx9fOzSkZ6XxFlTTQz6d8NCtKpR4%2BjiJ9OL563UUAlUD0fstG8iuowGpHoCm5SAcATy; path=/; secure; HttpOnly
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-ZmlOcm5TNXF5bFZGOHRhb2lrT1ZHbkFBWXRjMnIySmhPcXFjWUZCQmV3VT06Q2xRWTgwSUdraDBYbjVqdjhoZldmd0JoQnFVQzVsY3RjOExOTnhWelBrWT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Location: https://nc.domain.com/index.php/login
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Type: text/html; charset=UTF-8
So, you see X-Frame-Options is set to DENY. But a little further is being set again to SAMEORIGIN.
The same goes for X-Content-Type-Options, but is being set twice for the same value.
What is also interesting is the expiration date of the cookiesā¦
When commenting out the .htaccess header for X-Frame-options and X-Content-Type-Options the second headers form the output above are not set anymore.
Still I cannot find the first two settingsā¦ Not in the /etc/httpd/conf/httpd.conf, nor in /etc/httpd/sites-available.
Can someone please point me in the right direction?
Setup:
Apache/2.4.6 (CentOS)
OpenSSL/1.0.1e
PHP/7.0.16