Hi all,
the following is my configuration:
Nextcloud version 14.0.3
Operating system and version Debian 9
Apache 2.4.25
PHP version 7.2.11
Until today I faced the problem concerning the X-Frame-Options header.
When I did the internal test the result about that was a failure and in fact giving a look at the developer console in firefox or chrome the option “SAMEORIGIN” appeared twice.
Investigating in my apache config files I found nothing about that, so I tried a workaround.
In the config file of NC vhost I put the following:
Header always unset X-Frame-Options
In this way all internal checks went fine (A+) and tests at htbridge.com/websec/ and pentest-tools.com too (A+ in the first one and nothing concerning security issues in the second one)
Reading a lot of discussions about that, it seems a problem related to apache or nginx configs but
not in this case. I have not deeply investigated but it seems that those setting are hardcoded in NC but added anyway in a second time. Am i wrongly supposing?
P.s. .htaccess, NC vhost conf or else related to apache config does not contain anything about X-Frame-Options