[Bug]: wrong or misleading "Security & Setup Warnings" due to HTTP headers

[hp4]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

I can't get rid of error messages in Nextclouds "Security & Setup Warnings", the messages are wrong or at least misleading:

• Nextcloud issues a standard error message on on a set of missing headers independent of what is really wrong

• Nextcloud seems to export the "X-Robots-Tag" in its own code, but in the docs asks the admin to provide it by the webserver

• this leads to a double "X-Robots-Tag" in the http-response (at least with nginx, may be apache removes double entries?) which is erroneously reported as mssing !

• when not providing the "Strict-Transport-Security" Nextcloud complains about it, but after providing it Nextcloud still reports it as missing and in addition shows the above mentioned standard message about missing/wrong headers

Steps to reproduce

1.install Nextcloud Hub 8 (29.0.3) 2.configuration with nginx webservers as server and reverse proxy 3.look for the "Security & Setup Warnings" messages

Expected behavior

• only missing HTTP-headers should be reported instead of a standard message with all headers
• double entries of headers should be ignored in the check
• the docs should inform the admin, which headers are generated by Nextcloud itself (special role of X-Robots-Tag?)
• when the Strict-Transport-Security header is available (as can be seen with curl) Nextcloud should report the correct reason for complaining, e.g. wrong value

Installation method

Community NextcloudPi appliance

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

None

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• [X] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

output of "php occ config:list system"

    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 0
        },
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],                                                                           r\n
        "log_rotate_size": 10485760,
        "upgrade.disable-web": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/nc.test.hp4",
        "overwritehost": "nc.test.hp4",
        "overwriteprotocol": "https",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",                                   :1f
        "trusted_domains": [
            "nc.test.hp4"                                                        o\r
        ],                                                                           97d
        "datadirectory": "***REMOVED SENSITIVE VALUE***",                            nfo
        "dbtype": "mysql",
        "version": "29.0.3.4",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",                                   o\r
        "dbport": "",                                                                97d
        "dbtableprefix": "oc_",                                                      nfo
        "mysql.utf8mb4": true,                                                        in
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",                               p\r
        "installed": true,                                                           145
        "default_phone_region": "DE",                                                d b
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpport": "587",
        "mail_sendmailmode": "smtp",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 1,
        "maintenance": false,
        "loglevel": 2
    }

List of activated Apps

Enabled:
  - activity: 2.21.1
  - calendar: 4.7.10
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contacts: 6.0.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - deck: 1.13.1
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_downloadlimit: 2.0.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.7.2
  - nextcloud_announcements: 1.18.0
  - notes: 4.10.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - password_policy: 1.19.0
  - photos: 2.5.0
  - polls: 7.1.3
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - richdocuments: 8.4.3
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - spreed: 19.0.4
  - support: 1.12.0
  - survey_client: 1.17.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - bruteforcesettings: 2.9.0
  - encryption: 2.17.0
  - files_external: 1.21.0
  - groupfolders: 17.0.1 (installed 17.0.1)
  - suspicious_login: 7.0.0
  - tasks: 0.16.0 (installed 0.16.0)
  - twofactor_totp: 11.0.0-dev
  - user_ldap: 1.20.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

[joshtrichards]

Can you provide the exact warnings and errors you're seeing? And also confirm you're using the latest Nginx config in our manual?

Nextcloud issues a standard error message on on a set of missing headers independent of what is really wrong

We check and report on each security header independently:

https://github.com/nextcloud/server/blob/3b795cde79946cb9b41ed823c78111ea040cbfa2/apps/settings/lib/SetupChecks/SecurityHeaders.php

Nextcloud seems to export the "X-Robots-Tag" in its own code, but in the docs asks the admin to provide it by the webserver

Where do we say that?

https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html#serve-security-related-headers-by-the-web-server

And in the Nginx config we provide, there is handling for it (in spots we cover in standard (Apache) installations via the bundled .htaccess). Check the modHeadersAvailable line in the Nginx config as well as the separate header handling section for static assets as seen in manual:

https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

Are you using the above Nginx config?

You also stated you're using NextcloudPi, but that's Apache based. So your report has some inconsistencies that are hard to follow. Your provided config suggests you're using one of our micro-services Docker images (fpm variant presumably if you're using Nginx as your web server).

[blattms]

Slightly related, but not a biggy either:

I have add_headerX-Robots-Tag none always;in my nginx configuration.noneshould be an alias tonoindex, nofollow, but nextcloud still warns that I am missingnoindex, nofollow` in X-Robots-Tag

[nextcloud-command]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.