Hello Nextcloud Friends:
Nextcloud version 12.0.5:
Operating system and version Linux CentOS:
Apache or nginx version Apache 2:
PHP version 7.0:
The issue you are facing:
I keep getting the following warnings listed below as potential security risks. I’ve been trying to tackle this issue for quite some time now and gave my hosting company the following.
Is this the first time you’ve seen this error? No:
Steps to replicate it:
- login
- Go to Admin basic setting
- Look under “Security & setup warnings”
"X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block".
"X-Content-Type-Options" HTTP header is not configured to equal to "nosniff".
"X-Robots-Tag" HTTP header is not configured to equal to "none".
"X-Download-Options" HTTP header is not configured to equal to "noopen".
"X-Permitted-Cross-Domain-Policies" HTTP header is not configured to equal to "none".
"Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS
My Host Reply:
I checked and the headers are set and they are showed correctly on HTTPS request:
frank@frank:~$ curl -I https://somewhere.com
HTTP/1.1 302 Found
Server: nginx
Date: Mon, 12 Feb 2018 00:54:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-MFlla0ZESFpWN3pBZVZaS0dUNnhMc1FCRGtl1234512345JiNjk0TDA1K20='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: oc238ccaplka=45b06abcabcabc; path=/; HttpOnly
Set-Cookie: oc_sessionPassphrase=jb1DW%2B3Xm%2FXrvPtwFFzRXVHtPf7uYHCT1234512345GQFAQldM5pftinr%2Fxvej%2Bg4P7fv8jE73B5Va8zFDKx9eHK9nnHYa; path=/; secure; HttpOnly
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Location: https://somewhere.com/index.php/login
Host-Header: 192fc2e7e50945be123123123
Vary: User-Agent
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Our system administrators confirmed that the headers are set properly and that since the CURL request is pulling them in the response they should be fetched by the application as well.
Unfortunately, we cannot tell why they are not fetched. In this case, you should contact the support/administrators of the application for assistance on this matter.
Thanks,
A Really Stumped Nexcloud User.
Bob