search

linuxserver / docker-nextcloud

GNU General Public License v3.0
701 stars 128 forks source link

[BUG] admin overview page header security warnings #463

Open tincanfury opened 1 month ago

tincanfury commented 1 month ago

Is there an existing issue for this?

Current Behavior

Some headers are not set correctly on your instance - The X-Content-Type-Options HTTP header is not set to nosniff. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-Frame-Options HTTP header is not set to sameorigin. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection HTTP header does not contain 1; mode=block. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The Referrer-Policy HTTP header is not set to no-referrer, no-referrer-when-downgrade, strict-origin, strict-origin-when-cross-origin or same-origin. This can leak referer information. See the W3C Recommendation. - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗.

Expected Behavior

No response

Steps To Reproduce

update to latest, and not I'm getting this at https://URL.com/nextcloud/settings/admin/overview

Environment

OS: OMV
build_version": "Linuxserver.io version:- 29.0.4-ls332 Build-date:- 2024-07-26T12:53:35+00:00",

CPU architecture

x86-64

Docker creation

services:
  nextcloud:
    image: lscr.io/linuxserver/nextcloud:latest
    container_name: nextcloud
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=America/New_York
    tmpfs:
      - /tmp:exec
    volumes:
      - /srv/nextcloud/config:/config
      - /srv/nextcloud/data:/data
      - /srv/dockerconfig/swag/etc/letsencrypt:/letsencrypt:ro
    depends_on:
      - mariadb
#    ports: # uncomment this and the next line if you want to bypass the proxy
#      - 450:443
    restart: unless-stopped
  mariadb:
    image: lscr.io/linuxserver/mariadb:10.11.4
    container_name: nextclouddb
    environment:
      - PUID=1001
      - PGID=1001
      - MYSQL_ROOT_PASSWORD=K91Uxiv6FMkv
      - TZ=America/New_York
      - DATADIR=/databases
    volumes:
      - /srv/dockerconfig/nextclouddb:/config
      - /srv/mariadb:/databases
      - /srv/dockerconfig/swag/etc/letsencrypt:/letsencrypt:ro
    restart: unless-stopped
  swag:
    image: lscr.io/linuxserver/swag:latest
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=America/New_York
      - URL=elfuriorojo.com
      - SUBDOMAINS=home
      - ONLY_SUBDOMAINS=TRUE
      - VALIDATION=http
      - EMAIL=steve.adeff@gmail.com
    volumes:
      - /srv/dockerconfig/swag/:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

Container logs

Initializing finished
**** The following active confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare the following files to the samples in the same folder and update them. ****
**** Use the link at the top of the file to view the changelog. ****
┌────────────┬────────────┬────────────────────────────────────────────────────────────────────────┐
│  old date  │  new date  │ path                                                                   │
├────────────┼────────────┼────────────────────────────────────────────────────────────────────────┤
│ 2023-04-13 │ 2024-05-27 │ /config/nginx/nginx.conf                                               │
└────────────┴────────────┴────────────────────────────────────────────────────────────────────────┘
**** The following site-confs have extensions other than .conf ****
**** This may be due to user customization. ****
**** You should review the files and rename them to use the .conf extension or remove them. ****
**** nginx.conf will only include site-confs with the .conf extension. ****
/config/nginx/site-confs/default.conf.20230810
/config/nginx/site-confs/default.conf.20240103
/config/nginx/site-confs/default.conf.20240110
/config/nginx/site-confs/default.conf.20230829
[custom-init] No custom files found, skipping...
[ls.io-init] done.
j0nnymoe commented 1 month ago

Have you updated the nginx.conf file that's mentioned in the logs you've provided?

tincanfury commented 1 month ago

Have you updated the nginx.conf file that's mentioned in the logs you've provided?

Here is the content from /srv/nextcloud/config/nginx/site-confs/default.conf

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;
tomspatz commented 4 weeks ago

me too:

Einige Header sind in deiner Instanz nicht richtig eingestellt - DerStrict-Transport-Security-HTTP-Header ist nicht gesetzt (er sollte mindestens15552000Sekunden betragen). Für erhöhte Sicherheit wird empfohlen, HSTS zu aktivieren. Weitere Informationen findest du in der [Dokumentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-security).

i perform a security check that says A+ also a check from https://securityheaders.com gives OK

Jazmodo commented 3 hours ago

Same here, I updated my default.conf file, and have the same 'add headers' in this file as @tincanfury has, but am getting a similar/the same list of errors on the Nextcloud admin overview:

Some headers are not set correctly on your instance - The X-Content-Type-Options HTTP header is not set to nosniff. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-Frame-Options HTTP header is not set to sameorigin. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection HTTP header does not contain 1; mode=block. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The Referrer-Policy HTTP header is not set to no-referrer, no-referrer-when-downgrade, strict-origin, strict-origin-when-cross-origin or same-origin. This can leak referer information. See the W3C Recommendation. - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗.