Server: Nextcloud 14 Beta 3 The "Referrer-Policy" HTTP header is not set to "no-referrer"
Hello getting this error in NC 14 Beta 3
ghost
All 12 comments
GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/10502 (Nextcloud 14 Beta 3), https://github.com/nextcloud/server/issues/8550 (The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN".), https://github.com/nextcloud/server/issues/10605 (Nextcloud 14 Beta 4), https://github.com/nextcloud/server/issues/10410 (Nextcloud 14 Beta 2), and https://github.com/nextcloud/server/issues/9122 (Add setupcheck for Referrer-Policy header).
nextcloud-bot
on 9 Aug 2018
So it is not and error it is a warning as you can see.
It is warning you a header is not set which makes your browser forward any referrer information which is not recommended. So the system is actually doing what it should do. Warning you.
rullzer
on 9 Aug 2018
Okay, this is an browser issue? I don’t get this warning on NC 13 ??
Sent from my iPhone X
On Aug 9, 2018, at 1:52 PM, Roeland Jago Douma <[email protected]notifications@github.com> wrote:
So it is not and error it is a warning as you can see.
It is warning you a header is not set which makes your browser forward any referrer information which is not recommended. So the system is actually doing what it should do. Warning you.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/nextcloud/server/issues/10624#issuecomment-411860036, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AXb4Q5_WaktuQnBe6HHTTbIhviz9lBYqks5uPIT9gaJpZM4V15Zb.
ghost
on 9 Aug 2018
Ah no. It is a new security header. We only added a check for it in NC14. That si why it shows up in the beta ;)
rullzer
on 9 Aug 2018
@rullzer is this warrning always going to show?
ghost
on 16 Aug 2018
Yes. Unless you set the header. Same as for the other security header we recommend
rullzer
on 16 Aug 2018
@rullzer Thank you! how do i set the header and where ?
ghost
on 16 Aug 2018
@rullzer any update on this?
ghost
on 20 Aug 2018
@andyxh This header needs to be added into your vhost conf.
Ex:
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
Header always set Referrer-Policy "strict-origin"
ShipNecro
on 11 Sep 2018
Yes. Unless you set the header. Same as for the other security header we recommend
It should be added to the NC docs as well, not? The location where and what do add, like with this other header that's documented. Currently there is a W3C link, but I think it's not very comprehensive for everyone.
mathiasconradt
on 11 Sep 2018
I agree with @mathiasconradt. Only figured out what to do with @ShipNecro comment.
penCsharpener
on 11 Sep 2018
Why not add these headers to the .htaccess file that Nextcloud generates (on Apache servers)?
chriscroome
on 28 Sep 2018
Related issues
wjwieland
·
87Comments
bruennlein
·
73Comments
cdauth
·
121Comments
ariselseng
·
107Comments
Wehzie
·
73Comments
Most helpful comment
@andyxh This header needs to be added into your vhost conf.
Ex:
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
Header always set Referrer-Policy "strict-origin"