Server: Strange "Security & setup warnings" on nginx

Created on 10 Jan 2017  路  12Comments  路  Source: nextcloud/server

Steps to reproduce

  1. Add "add_header X-Frame-Options DENY;" and "add_header X-Content-Type-Options nosniff;" to /etc/nginx/nginx.conf
  2. Reload nginx ('service nginx reload' in my case)
  3. Login & go to "Admin page"

Expected behaviour

No security warnings expected to be displayed.

Actual behaviour

I see the following warnings:
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

Server configuration

Operating system:
Debian GNU/Linux ("Stretch")
Web server:
Nginx 1.10.2
Database:
MariaDB 10.1.20
PHP version:
PHP 7.0.14-2
Nextcloud version: (see Nextcloud admin page)
11.0.0
Updated from an older Nextcloud/ownCloud or fresh install:
Manually updated from an older Nextcloud version
Where did you install Nextcloud from:
https://download.nextcloud.com/server/releases/nextcloud-11.0.0.tar.bz2
Signing status:


Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:


App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

The content of config/config.php:


Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here
(Without the database password, passwordsalt and secret)

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)


LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

Web server error log


Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)


Nextcloud log

Insert your Nextcloud log here

Browser log


Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

picture oddmean

Most helpful comment

FYI, the header fix for X-Frame-Options is to remove/comment out from webserver config. Otherwise the same header is output twice and invalidating the header because NC12 sets the header in the code now.

picture idevwebs on 13 Jun 2017
👍5

All 12 comments

Our docs mention:

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";

So that should work. Can you retry with that config? If that also fails just reopen the issue.

nickvergessen picture nickvergessen on 12 Jan 2017
😕2 👎1

Hi,

I already have those above codes in the vhost config, but I just got this warning on NC v12.
I didn't have this warning on previous version.

techc0de picture techc0de on 23 May 2017
👍5

Same situation here. New install of NC 12. nginx 

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
idevwebs picture idevwebs on 7 Jun 2017

Same Situation here as well, New install of 12 with nginx with proper entries still shows security error.

rjsears picture rjsears on 7 Jun 2017

FYI, the header fix for X-Frame-Options is to remove/comment out from webserver config. Otherwise the same header is output twice and invalidating the header because NC12 sets the header in the code now.

idevwebs picture idevwebs on 13 Jun 2017
👍5

Removing/commenting out X-Frame-Options may be inconvenient for multi-site systems, because it's very convenient to keep most of security related settings (X-Frame-*, cipher sequencies, dh_params, etc.) in a separate config file and just include it in per-site configs.

oddmean picture oddmean on 13 Jun 2017
👍1

Removed per instructions, restarted and still seeing the same error.

rjsears picture rjsears on 19 Jun 2017

I have the same error. I put the record in the http block and doesn't work.

add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
neoranger picture neoranger on 5 Sep 2017

Same problem. Nextcloud v12 with Nginx.

danger89 picture danger89 on 14 Sep 2017

Nextcloud 12.0.3 RC2
same error

hapee picture hapee on 17 Sep 2017

commenting "X-Content-Type-Options" removed this message which appeared after I upgraded to NC 12.0.3 from NC 11 (Debian 9 PHP 7 Nginx PHP-fpm).

sdadoun picture sdadoun on 22 Sep 2017

Yep removing did actually work! Thanks

danger89 picture danger89 on 22 Sep 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

arno01 picture arno01  路  3Comments
dl5rcw picture dl5rcw  路  3Comments
ChristophWurst picture ChristophWurst  路  3Comments
Django-BOfH picture Django-BOfH  路  3Comments
MariusBluem picture MariusBluem  路  3Comments