From 9167f020c26487f27338cb2659f6e2c40293f52b Mon Sep 17 00:00:00 2001 From: zertrin Date: Sun, 19 Jan 2020 23:53:08 +0800 Subject: [PATCH] Fix security header setting in .htaccess by adding 'onsuccess unset' The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues #16893 #16476 #16938 #18017 and discussion in PR #19002 Signed-off-by: zertrin --- .htaccess | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.htaccess b/.htaccess index 8b91422755c22..ce58fb2e87590 100644 --- a/.htaccess +++ b/.htaccess @@ -11,13 +11,13 @@ # Add security and privacy related headers - Header always set Referrer-Policy "no-referrer" - Header always set X-Content-Type-Options "nosniff" - Header always set X-Download-Options "noopen" - Header always set X-Frame-Options "SAMEORIGIN" - Header always set X-Permitted-Cross-Domain-Policies "none" - Header always set X-Robots-Tag "none" - Header always set X-XSS-Protection "1; mode=block" + Header always setifempty Referrer-Policy "no-referrer" + Header always setifempty X-Content-Type-Options "nosniff" + Header always setifempty X-Download-Options "noopen" + Header always setifempty X-Frame-Options "SAMEORIGIN" + Header always setifempty X-Permitted-Cross-Domain-Policies "none" + Header always setifempty X-Robots-Tag "none" + Header always setifempty X-XSS-Protection "1; mode=block" SetEnv modHeadersAvailable true