hoellen
commented
2 years ago X-XSS-Protection is disabled, because it is unsafe and obsolete. It is superseded by CSP. Nextcloud should remove this check. You can find more information here:
Closed mhbates closed 2 years ago
hoellen
commented
2 years ago X-XSS-Protection is disabled, because it is unsafe and obsolete. It is superseded by CSP. Nextcloud should remove this check. You can find more information here:
Nextcloud 24 throws the following error:
The "X-XSS-Protection" HTTP header doesn't contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.This happens even when nginx on the host side is configured correctly. If you inspect the page, you'll see duplicate headers, one of which is set to 0. When I go into the container's nginx conf (/etc/nginx/conf.d/default.conf), I see
add_header X-XSS-Protection "0" always;.Since it doesn't seem like I can do much via the container shell, I copied the file to the host, edited it, then copied it back to the container, and restarted it. That fixed it.