Hello Nextcloud Friends:
Nextcloud version 12.0.5:
Operating system and version Linux CentOS:
Apache or nginx version Apache 2:
PHP version 7.0:
The issue you are facing:
I keep getting the following warnings listed below as potential security risks. I’ve been trying to tackle this issue for quite some time now and gave my hosting company the following.
Is this the first time you’ve seen this error? No:
Steps to replicate it:
- Go to Admin basic setting
- Look under “Security & setup warnings”
"X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". "X-Robots-Tag" HTTP header is not configured to equal to "none". "X-Download-Options" HTTP header is not configured to equal to "noopen". "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none". "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS
My Host Reply:
I checked and the headers are set and they are showed correctly on HTTPS request:
frank@frank:~$ curl -I https://somewhere.com HTTP/1.1 302 Found Server: nginx Date: Mon, 12 Feb 2018 00:54:36 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-MFlla0ZESFpWN3pBZVZaS0dUNnhMc1FCRGtl1234512345JiNjk0TDA1K20='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self'; X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Robots-Tag: none X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Set-Cookie: oc238ccaplka=45b06abcabcabc; path=/; HttpOnly Set-Cookie: oc_sessionPassphrase=jb1DW%2B3Xm%2FXrvPtwFFzRXVHtPf7uYHCT1234512345GQFAQldM5pftinr%2Fxvej%2Bg4P7fv8jE73B5Va8zFDKx9eHK9nnHYa; path=/; secure; HttpOnly Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict Location: https://somewhere.com/index.php/login Host-Header: 192fc2e7e50945be123123123 Vary: User-Agent X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Robots-Tag: none X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none
Our system administrators confirmed that the headers are set properly and that since the CURL request is pulling them in the response they should be fetched by the application as well.
Unfortunately, we cannot tell why they are not fetched. In this case, you should contact the support/administrators of the application for assistance on this matter.
A Really Stumped Nexcloud User.