Nextcloud version (eg, 20.0.5): 23.0.2
Operating system and version (eg, Ubuntu 20.04): Linux raspberrypi 5.10.103-v8+
Apache or nginx version (eg, Apache 2.4.25): nginx/1.18.0
PHP version (eg, 7.4): PHP 7.4.28 (cli) (built: Feb 17 2022 16:17:19) ( NTS )
The issue you are facing:
I get the warning: “The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.”.
However, when I add
add_header X-Frame-Options "SAMEORIGIN";
to either
/etc/nginx/sites-enabled/default,
/etc/nginx/nginx.conf or
/etc/nginx/conf.d/nextcloud.conf,
the header does not change to SAMEORIGIN, instead SAMEORIGIN gets added and the DENY header stays there. I have searched all the config files and did not find a cause for the DENY.
This is a screenshot of the response headers:
Something interesting I found out: the filetypes that have the double x-frame-options header are HTML, SVG and JSON. XML has only the SAMEORIGIN header.
Is this the first time you’ve seen this error? (Y/N): It was there since I set up my Nextcloud server a few weeks ago. Only now did I finally try to squash it…
Steps to replicate it:
Honestly, I have no idea how I even caused this, let alone how to replicate it: I installed nextcloud with Nginx, PHP & MariaDB. After this I set up SSH with self-signed certificates.
The output of your Nextcloud log in Admin > Logging:
Only a bunch of debug info about an update I did recently (unrelated to the issue I described above). If anyone still wants to see it, don’t hesitate to ask.
The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => '-',
'passwordsalt' => '-',
'secret' => '-',
'trusted_domains' =>
array (
0 => '192.168.0.143',
1 => '-',
2 => '-',
),
'datadirectory' => '/usr/share/nginx/nextcloud/data',
'dbtype' => 'mysql',
'version' => '23.0.2.1',
'overwrite.cli.url' => 'http://192.168.0.143',
'dbname' => '-',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => '-',
'dbpassword' => '-',
'installed' => true,
'updater.secret' => '-',
'maintenance' => false,
'theme' => '',
'loglevel' => 2,
);
The output of your Apache/nginx/system log in /var/log/____:
Again, as far as I can see there is nothing relevant in there and I’d have to blur out a ton of ips and stuff like that, if anyone still wants to see it lmk!