[BUG] admin overview page header security warnings
tincanfury opened this issue · 6 comments
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Some headers are not set correctly on your instance - The X-Content-Type-Options HTTP header is not set to nosniff. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-Frame-Options HTTP header is not set to sameorigin. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection HTTP header does not contain 1; mode=block. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The Referrer-Policy HTTP header is not set to no-referrer, no-referrer-when-downgrade, strict-origin, strict-origin-when-cross-origin or same-origin. This can leak referer information. See the W3C Recommendation. - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗.
Expected Behavior
No response
Steps To Reproduce
update to latest, and not I'm getting this at
https://URL.com/nextcloud/settings/admin/overview
Environment
OS: OMV
build_version": "Linuxserver.io version:- 29.0.4-ls332 Build-date:- 2024-07-26T12:53:35+00:00",CPU architecture
x86-64
Docker creation
services:
nextcloud:
image: lscr.io/linuxserver/nextcloud:latest
container_name: nextcloud
environment:
- PUID=1001
- PGID=1001
- TZ=America/New_York
tmpfs:
- /tmp:exec
volumes:
- /srv/nextcloud/config:/config
- /srv/nextcloud/data:/data
- /srv/dockerconfig/swag/etc/letsencrypt:/letsencrypt:ro
depends_on:
- mariadb
# ports: # uncomment this and the next line if you want to bypass the proxy
# - 450:443
restart: unless-stopped
mariadb:
image: lscr.io/linuxserver/mariadb:10.11.4
container_name: nextclouddb
environment:
- PUID=1001
- PGID=1001
- MYSQL_ROOT_PASSWORD=K91Uxiv6FMkv
- TZ=America/New_York
- DATADIR=/databases
volumes:
- /srv/dockerconfig/nextclouddb:/config
- /srv/mariadb:/databases
- /srv/dockerconfig/swag/etc/letsencrypt:/letsencrypt:ro
restart: unless-stopped
swag:
image: lscr.io/linuxserver/swag:latest
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1001
- PGID=1001
- TZ=America/New_York
- URL=elfuriorojo.com
- SUBDOMAINS=home
- ONLY_SUBDOMAINS=TRUE
- VALIDATION=http
- EMAIL=steve.adeff@gmail.com
volumes:
- /srv/dockerconfig/swag/:/config
ports:
- 443:443
- 80:80
restart: unless-stoppedContainer logs
Initializing finished
**** The following active confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare the following files to the samples in the same folder and update them. ****
**** Use the link at the top of the file to view the changelog. ****
┌────────────┬────────────┬────────────────────────────────────────────────────────────────────────┐
│ old date │ new date │ path │
├────────────┼────────────┼────────────────────────────────────────────────────────────────────────┤
│ 2023-04-13 │ 2024-05-27 │ /config/nginx/nginx.conf │
└────────────┴────────────┴────────────────────────────────────────────────────────────────────────┘
**** The following site-confs have extensions other than .conf ****
**** This may be due to user customization. ****
**** You should review the files and rename them to use the .conf extension or remove them. ****
**** nginx.conf will only include site-confs with the .conf extension. ****
/config/nginx/site-confs/default.conf.20230810
/config/nginx/site-confs/default.conf.20240103
/config/nginx/site-confs/default.conf.20240110
/config/nginx/site-confs/default.conf.20230829
[custom-init] No custom files found, skipping...
[ls.io-init] done.Have you updated the nginx.conf file that's mentioned in the logs you've provided?
Have you updated the nginx.conf file that's mentioned in the logs you've provided?
Here is the content from /srv/nextcloud/config/nginx/site-confs/default.conf
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
me too:
Einige Header sind in deiner Instanz nicht richtig eingestellt - Der Strict-Transport-Security-HTTP-Header ist nicht gesetzt (er sollte mindestens 15552000 Sekunden betragen). Für erhöhte Sicherheit wird empfohlen, HSTS zu aktivieren. Weitere Informationen findest du in der [Dokumentation ↗](https://docs.nextcloud.com/server/29/go.php?to=admin-security).
i perform a security check that says A+
also a check from https://securityheaders.com gives OK
Same here, I updated my default.conf file, and have the same 'add headers' in this file as @tincanfury has, but am getting a similar/the same list of errors on the Nextcloud admin overview:
Some headers are not set correctly on your instance - The X-Content-Type-Options HTTP header is not set to nosniff. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-Frame-Options HTTP header is not set to sameorigin. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The X-XSS-Protection HTTP header does not contain 1; mode=block. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly. - The Referrer-Policy HTTP header is not set to no-referrer, no-referrer-when-downgrade, strict-origin, strict-origin-when-cross-origin or same-origin. This can leak referer information. See the W3C Recommendation. - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗.