X-Frame Messages

Hi,

I have installed Nextcloud on a Centos distro with SSL and all. But Iā€™m still running into one thing I canā€™t seem to get solved.

Iā€™m getting these two warnings:

The ā€œX-Content-Type-Optionsā€ HTTP header is not configured to equal to ā€œnosniffā€. This is a potential security or privacy risk and we recommend adjusting this setting.
The ā€œX-Frame-Optionsā€ HTTP header is not configured to equal to ā€œSAMEORIGINā€. This is a potential security or privacy risk and we recommend adjusting this setting.

So I decided to try and solve them, going through other threads posted here and on the owncloud forums.
According to these thread I need to disable this in httpd.conf of the webserver.

But, when I search in httpd.conf I cannot find any headers being set. Nor in the configfiles for the vhosts.

When using curl to see what is being set, I see the following:

HTTP/1.1 302 Found
Date: Mon, 27 Mar 2017 12:44:40 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e PHP/7.0.16
X-Frame-Options: DENY
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Content-Type-Options: nosniff
X-Powered-By: PHP/7.0.16
Set-Cookie: oc3ksdyyuucx=qva9ae9r4egdhp3l6e42s9a6s6; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=U1FVRp485U7gxgs7Mtk1nboWBHL3x%2FW3hd3ihde2CKGL1e%2B5CqTVezzPL1lq8zx9fOzSkZ6XxFlTTQz6d8NCtKpR4%2BjiJ9OL563UUAlUD0fstG8iuowGpHoCm5SAcATy; path=/; secure; HttpOnly
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-ZmlOcm5TNXF5bFZGOHRhb2lrT1ZHbkFBWXRjMnIySmhPcXFjWUZCQmV3VT06Q2xRWTgwSUdraDBYbjVqdjhoZldmd0JoQnFVQzVsY3RjOExOTnhWelBrWT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Location: https://nc.domain.com/index.php/login
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Type: text/html; charset=UTF-8

So, you see X-Frame-Options is set to DENY. But a little further is being set again to SAMEORIGIN.
The same goes for X-Content-Type-Options, but is being set twice for the same value.
What is also interesting is the expiration date of the cookiesā€¦

When commenting out the .htaccess header for X-Frame-options and X-Content-Type-Options the second headers form the output above are not set anymore.

Still I cannot find the first two settingsā€¦ Not in the /etc/httpd/conf/httpd.conf, nor in /etc/httpd/sites-available.
Can someone please point me in the right direction?

Setup:
Apache/2.4.6 (CentOS)
OpenSSL/1.0.1e
PHP/7.0.16

1 Like

Hi,

they are in the .htaccess files in your nextcloud installation folder. Using apache you can leave it to the .htaccess files and remove/ comment any configuration in /etc/apache2/* files.

Thats percisely the problem. I know these are also set in .htaccess. But unfortunately I cannot find any reference of setting headers in the apache config directory. In my case /etc/httpd/. Iā€™m not using a debain distro, but centos.

Sorry, I read too quickly. I fear I canā€™t help then.
The only things I found are:

and:

Could the latter be a hint for some misconfiguration of your headers using too strict configuration?

This post here sounds interesting, but there was no further reply:

You donā€™t use a proxy, do you?

No. Iā€™m not using proxy.
Iā€™m now going through the second link.
Iā€™ll keep you posted.

[update 1]
This post seems to help:

Iā€™ve change Header set to Header always set for the two X-Content-Type-Options and X-Frame-Options in .htaccess. Error messages are gone now. I know this is not preferable, but Iā€™m the only one using this instance of NC.

I still do not know where the DENY option is coming from.

Glad this helped for now.
Do you run a physical machine at home or is it a rented server on the Internet? Just asking because I read that providers might influence the headers to secure their customers.

What about a grep for ā€œDENYā€ across all files? If the Scalpel doesnā€™t help, the big cannon could :smiley:
grep -R "DENY" /*

Sorry for just throwing stuff at you, I have no clue and while nobody else is assisting so far Iā€™m just trying to give you some ideas where to look for problems.

I have a little home centos box.
So I ran the command, but not on /, grep exhausted memory and quit early. Instead I ran it on /etc.

It came back with a hit:

[root@centos /]# grep -R "DENY" /etc/*
/etc/letsencrypt/options-ssl-apache.conf:Header always set X-Frame-Options DENY

It looks like Letā€™s Encrypt (should have mentioned this) has itā€™s own basic configfile apart from the standard /etc/httpd config directory.

And lo and behold:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

So I commented it out for the latter two and revert the .htaccess back to itā€™s original value.

Yeah!

Security & setup warnings
All checks passed.

Hope other people find this helpful.

3 Likes

I just want to thank you so much for providing this code ā€œgrep -R ā€œDENYā€ /etc/*ā€. with it I could find where my problem was.
I had the X-Frame-Option problem for as long as I remember. You are the first person who could help me with this problem.
Thank you very much.

Not all of us are natural Linux gurus, and most people donā€™t get that.

1 Like

Hey @martva,
Thank you for posting your solution. Your grep was a really helpful idea!
Regards.

I fixed these header errors on my Nextcloud 17 installation by using: Header always setā€¦ (vs. Header setā€¦)