Server: Getting "Referrer-Policy" warning on version 15

Created on 11 Dec 2018  路  5Comments  路  Source: nextcloud/server

Using the nextcloud apache container in Docker (version 15.0.0), I am getting this warning:

The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information.

I already have this set in my NGINX (using only as a reverse proxy). My NGINX server block has:

    # Security headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Referrer-Policy "same-origin" always;

This wasn't happening in version 14.0.4, I only noticed it happening again on v15.

0. Needs triage bug
Source
picture rcdailey

Most helpful comment

Try to remove the entry in your NGINX configuration. The .htaccess includes this header already. I had to do that as well.

picture AmonBune on 12 Dec 2018
👍5

All 5 comments

insert:

    <IfModule mod_headers.c>
  Header set Referrer-Policy "no-referrer"
Header always set Strict-Transport-Security "max-age=15552000; includeSubDoma$
</IfModule>
tigernero79 picture tigernero79 on 11 Dec 2018

Not sure what you're asking me to do. The root .htaccess in the Nextcloud apache installation already has this:

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Referrer-Policy "no-referrer"
    SetEnv modHeadersAvailable true
  </IfModule>

This was a default configuration I haven't messed with. Note that I also specify these headers in my nginx config, since it serves as the reverse proxy. I also tried disabling the apache-specific configuration above, but it did not change the result. I don't think setting headers in Apache will matter in this case since I serve through NGINX. So basically my setup is:

WAN Request -> NGINX (reverse proxy) -> [enter Nexcloud docker container] -> Apache -> PHP
rcdailey picture rcdailey on 11 Dec 2018

Try to remove the entry in your NGINX configuration. The .htaccess includes this header already. I had to do that as well.

AmonBune picture AmonBune on 12 Dec 2018
👍5

@AmonBune That fixed it for me. Thank you. I don't really have a firm understanding of how NGINX and Apache work together (or against each other). As a general rule, does NGINX not need to provide headers already provided by Apache in the nextcloud container?

Closing this one since my issue is resolved.

rcdailey picture rcdailey on 12 Dec 2018

@rcdailey Adding a header twice breaks the function of this header. The client does not know which of the two headers is the right one and drops it completely. That's the reason why the security check fails. By removing the one in nginx, Apache's header will be sent and accepted.

AmonBune picture AmonBune on 12 Dec 2018
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

navimike picture navimike  路  67Comments
bruennlein picture bruennlein  路  73Comments
egal88 picture egal88  路  100Comments
philippe-levan picture philippe-levan  路  78Comments
wjwieland picture wjwieland  路  87Comments