Use "setifempty" instead of "always set" in .htaccess

The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area. Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top. See github issues #16893 #16476 #16938 #18017 Signed-off-by: zertrin <zertrin@gmail.com>
nextcloud · Jan 19, 2020 · 0cb622b · 0cb622b
1 parent 434fd43
commit 0cb622b
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/.htaccess b/.htaccess
@@ -11,13 +11,13 @@
 
   <IfModule mod_env.c>
     # Add security and privacy related headers
-    Header always set Referrer-Policy "no-referrer"
-    Header always set X-Content-Type-Options "nosniff"
-    Header always set X-Download-Options "noopen"
-    Header always set X-Frame-Options "SAMEORIGIN"
-    Header always set X-Permitted-Cross-Domain-Policies "none"
-    Header always set X-Robots-Tag "none"
-    Header always set X-XSS-Protection "1; mode=block"
+    Header setifempty Referrer-Policy "no-referrer"
+    Header setifempty X-Content-Type-Options "nosniff"
+    Header setifempty X-Download-Options "noopen"
+    Header setifempty X-Frame-Options "SAMEORIGIN"
+    Header setifempty X-Permitted-Cross-Domain-Policies "none"
+    Header setifempty X-Robots-Tag "none"
+    Header setifempty X-XSS-Protection "1; mode=block"
     SetEnv modHeadersAvailable true
   </IfModule>