Nextcloud version (eg, 20.0.5):
Operating system and version (eg, Ubuntu 20.04):
Linux raspberrypi 5.10.103-v8+
Apache or nginx version (eg, Apache 2.4.25):
PHP version (eg, 7.4):
PHP 7.4.28 (cli) (built: Feb 17 2022 16:17:19) ( NTS )
The issue you are facing:
I get the warning: “The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.”.
However, when I add
add_header X-Frame-Options "SAMEORIGIN";
the header does not change to SAMEORIGIN, instead SAMEORIGIN gets added and the DENY header stays there. I have searched all the config files and did not find a cause for the DENY.
This is a screenshot of the response headers:
Something interesting I found out: the filetypes that have the double
x-frame-options header are HTML, SVG and JSON. XML has only the SAMEORIGIN header.
Is this the first time you’ve seen this error? (Y/N): It was there since I set up my Nextcloud server a few weeks ago. Only now did I finally try to squash it…
Steps to replicate it:
Honestly, I have no idea how I even caused this, let alone how to replicate it: I installed nextcloud with Nginx, PHP & MariaDB. After this I set up SSH with self-signed certificates.
The output of your Nextcloud log in Admin > Logging:
Only a bunch of debug info about an update I did recently (unrelated to the issue I described above). If anyone still wants to see it, don’t hesitate to ask.
The output of your config.php file in
/path/to/nextcloud (make sure you remove any identifiable information!):
<?php $CONFIG = array ( 'instanceid' => '-', 'passwordsalt' => '-', 'secret' => '-', 'trusted_domains' => array ( 0 => '192.168.0.143', 1 => '-', 2 => '-', ), 'datadirectory' => '/usr/share/nginx/nextcloud/data', 'dbtype' => 'mysql', 'version' => '22.214.171.124', 'overwrite.cli.url' => 'http://192.168.0.143', 'dbname' => '-', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => '-', 'dbpassword' => '-', 'installed' => true, 'updater.secret' => '-', 'maintenance' => false, 'theme' => '', 'loglevel' => 2, );
The output of your Apache/nginx/system log in
Again, as far as I can see there is nothing relevant in there and I’d have to blur out a ton of ips and stuff like that, if anyone still wants to see it lmk!