Open tincanfury opened 1 month ago
Have you updated the nginx.conf file that's mentioned in the logs you've provided?
Have you updated the nginx.conf file that's mentioned in the logs you've provided?
Here is the content from /srv/nextcloud/config/nginx/site-confs/default.conf
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
me too:
Einige Header sind in deiner Instanz nicht richtig eingestellt - Der
Strict-Transport-Security-HTTP-Header ist nicht gesetzt (er sollte mindestens
15552000Sekunden betragen). Für erhöhte Sicherheit wird empfohlen, HSTS zu aktivieren. Weitere Informationen findest du in der [Dokumentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-security).
i perform a security check that says A+ also a check from https://securityheaders.com gives OK
Same here, I updated my default.conf file, and have the same 'add headers' in this file as @tincanfury has, but am getting a similar/the same list of errors on the Nextcloud admin overview:
Some headers are not set correctly on your instance - The X-Content-Type-Options
HTTP header is not set to nosniff
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-Frame-Options
HTTP header is not set to sameorigin
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection
HTTP header does not contain 1; mode=block
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The Referrer-Policy
HTTP header is not set to no-referrer
, no-referrer-when-downgrade
, strict-origin
, strict-origin-when-cross-origin
or same-origin
. This can leak referer information. See the W3C Recommendation. - The Strict-Transport-Security
HTTP header is not set (should be at least 15552000
seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗.
Is there an existing issue for this?
Current Behavior
Some headers are not set correctly on your instance - The
X-Content-Type-Options
HTTP header is not set tonosniff
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - TheX-Frame-Options
HTTP header is not set tosameorigin
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - TheX-XSS-Protection
HTTP header does not contain1; mode=block
. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - TheReferrer-Policy
HTTP header is not set tono-referrer
,no-referrer-when-downgrade
,strict-origin
,strict-origin-when-cross-origin
orsame-origin
. This can leak referer information. See the W3C Recommendation. - TheStrict-Transport-Security
HTTP header is not set (should be at least15552000
seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗.Expected Behavior
No response
Steps To Reproduce
update to latest, and not I'm getting this at https://URL.com/nextcloud/settings/admin/overview
Environment
CPU architecture
x86-64
Docker creation
Container logs