X Header Issues with NC12

bettsr · February 12, 2018, 6:06am

Hello Nextcloud Friends:

Nextcloud version 12.0.5:
Operating system and version Linux CentOS:
Apache or nginx version Apache 2:
PHP version 7.0:

The issue you are facing:
I keep getting the following warnings listed below as potential security risks. I’ve been trying to tackle this issue for quite some time now and gave my hosting company the following.

Is this the first time you’ve seen this error? No:

Steps to replicate it:

login
Go to Admin basic setting
Look under “Security & setup warnings”

"X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block".
"X-Content-Type-Options" HTTP header is not configured to equal to "nosniff".
"X-Robots-Tag" HTTP header is not configured to equal to "none".
"X-Download-Options" HTTP header is not configured to equal to "noopen".
"X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none".
"Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS

My Host Reply:
I checked and the headers are set and they are showed correctly on HTTPS request:

frank@frank:~$ curl -I https://somewhere.com
HTTP/1.1 302 Found
Server: nginx
Date: Mon, 12 Feb 2018 00:54:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-MFlla0ZESFpWN3pBZVZaS0dUNnhMc1FCRGtl1234512345JiNjk0TDA1K20='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: oc238ccaplka=45b06abcabcabc; path=/; HttpOnly
Set-Cookie: oc_sessionPassphrase=jb1DW%2B3Xm%2FXrvPtwFFzRXVHtPf7uYHCT1234512345GQFAQldM5pftinr%2Fxvej%2Bg4P7fv8jE73B5Va8zFDKx9eHK9nnHYa; path=/; secure; HttpOnly
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Location: https://somewhere.com/index.php/login
Host-Header: 192fc2e7e50945be123123123
Vary: User-Agent
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none

Our system administrators confirmed that the headers are set properly and that since the CURL request is pulling them in the response they should be fetched by the application as well.
Unfortunately, we cannot tell why they are not fetched. In this case, you should contact the support/administrators of the application for assistance on this matter.

Thanks,
A Really Stumped Nexcloud User.
Bob

AlfredoCubitos · February 12, 2018, 8:58am

Hi,

follow this guide https://docs.nextcloud.com/server/13/admin_manual/installation/nginx.html
After I had the same trouble this worked for me

double check that you put X-***header lines into the right section

bettsr · February 12, 2018, 4:21pm

Thank you, going to give it a go report back later.

bettsr · February 13, 2018, 6:49am

I was asking my host a few more questions about Nginx and the X-Header issue. His reply makes me wonder if correcting the X-Headers is even possible with my server being in a shared hosting environment.

The NexCloud instance is installed into the /home/++++++/public_html/slo folder which is not into the Nginx installation folder. We don’t use default Nginx setup, we use Nginx as reverse proxy in front of Apache web server.

Im lost now. Should I use the code listed under “Nextcloud in a subdir of nginx” you pointed out at
https://docs.nextcloud.com/server/13/admin_manual/installation/nginx.html

Bob

Schmu · February 15, 2018, 11:12pm

Hi,

As we can see from the curl output the headers are delivered twice. I believe I remember that sending the headers twice, results in this warnings.
Could you try (I think you have nothing to lose, to give it a try ) and remove (comment) the header settings in the .htaccess files?
If nginx as reverse proxy is setup to provide these headers anyway, it shouldn’t be necessary for the apache to send them as well.

bettsr · February 16, 2018, 5:48am

Thank you so much Schmu worked like a charm. You Rock

I’ll do some research on the last one then all is good.

The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds.