nextcloud requires very precisely defined server settings. If these are not set correctly, the following messages are displayed in the admin interface:
- The "X-XSS-Protection" HTTP header is not configured to match "1; mode=block". This is a potential security risk and it is recommended to change this setting.
- The "X-Content-Type-Options" HTTP header is not configured to match "nosniff". This is a potential security risk and it is recommended to change this setting.
- The "X-Robots-Tag" HTTP header is not configured to match "none". This is a potential security risk and it is recommended to change this setting.
- The "X-Frame-Options" HTTP header is not configured to match "SAMEORIGIN". This is a potential security risk and it is recommended to change this setting.
- The "X-Download-Options" HTTP header is not configured to match "noopen". This is a potential security risk and it is recommended to change this setting.
- The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to match "none". This is a potential security risk and it is recommended to change this setting.
This is very easy to fix. If you use nginx, you only need to add a few lines to the nginx v-host configuration. The file can normally be found under /etc/nginx/sites-enabled/default
The following must be added within the server block add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options "noopen"; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer;
Finally, restart the server
/etc/init.d/nginx restart
Hello,
up to version 11.0.3 the error was gone, with version 12 beta2 it is back although nothing has been changed in the conf.
Does anyone have any idea why?
Hello, unfortunately I do not use a beta version. As soon as version 12 becomes stable, I will be happy to check it.
Thanks for the quick reply!
Then I'll wait until the stable one comes.
Have a nice weekend
Version 12 has now been officially released. I have exactly the same problem with mine: The "X-Frame-Options" HTTP header is not configured to match "SAMEORIGIN". This is a potential security risk and it is recommended to change this setting.
The cause is rechr trival. The setting for "X-Frame-Options" has migrated to Nextcloud's PHP code and is therefore redundant in the nginx configuration, leading to an invalid result.
Solution: Remove the line add headers "X-Frame-Options" and restart nginx. I have adapted the post above accordingly.
Thanks for the info
Hello,
in the current version 16.0.4 the following warnings are displayed after setting the nginx configuration additions:
The "X-Content-Type-Options" HTTP header is not configured to match "nosniff".
The "X-Robots-Tag" HTTP header is not configured to match "none".
The "X-Download-Options" HTTP header is not configured to match "noopen".
The "X-Permitted-Cross-Domain-Policies" HTTP header is not configured to match "none".
Your web server is not set up correctly to resolve "/.well-known/caldav".
Your web server is not set up correctly to resolve "/.well-known/carddav".
No PHP memory cache has been configured. A memory cache can be configured to increase performance.
The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin".
Can anyone tell me what settings still need to be made?
If you still have these messages, it means that the changes mentioned above have not been correctly implemented. I have version 16.0.4 and it works with it.