Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False recommended header warnings since 17.0.1 #18017

Closed
avuton opened this issue Nov 19, 2019 · 1 comment · Fixed by #19002
Closed

False recommended header warnings since 17.0.1 #18017

avuton opened this issue Nov 19, 2019 · 1 comment · Fixed by #19002

Comments

@avuton
Copy link

avuton commented Nov 19, 2019

On my Nextcloud instance nc.anpmech.com, since 17.0.1 I'm getting warnings in the admin page about missing headers. These seem like a false warning, but I wouldn't doubt I'm just, somehow, doing something wrong. Further dumbfounding me is the same results exist now on scan.nextcloud.com when I didn't see them before.

Warnings Screenshot

avuton@xps:~$ curl -I https://nc.anpmech.com
HTTP/2 302 
date: Tue, 19 Nov 2019 17:11:55 GMT
server: Apache/2.4.41 (Debian)
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-security-policy: default-src 'self'; script-src 'self' 'nonce-bUlDeFhKaE1LUFBLTmYrM1pFY3cxUTkrWFYrckdZNzhNMGF0SklCS0hldz06OXJmNVBlSjZZcktFVTd2eE5Tc2JrR3NtTWdyb1hQdTFZeUR1VXVVNmNLND0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
set-cookie: ocgdgj675i9h=5e3gm7e49tt5u4mv9rlato9qnv; path=/; secure; HttpOnly
set-cookie: oc_sessionPassphrase=6fvHuEvvnj92ftLKgXWI5OI8O79rixP0tmqpVJxJ4gxiFLQJ1OUt%2F50wX8DR%2BobFtXV1aTLTA8d%2FMYQzqEMFT4BttKH%2F0iYrNVN3QCAf7xBry2l%2FSY%2BcpbF%2FtdrNzHZ6; path=/; secure; HttpOnly
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
strict-transport-security: max-age=15552000; includeSubDomains
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
location: https://nc.anpmech.com/index.php/login
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-robots-tag: none
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
content-type: text/html; charset=UTF-8
@kesselb
Copy link
Contributor

kesselb commented Nov 19, 2019 

curl -I -s https://nc.anpmech.com |grep "x-"|sort
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-content-type-options: nosniff
x-download-options: noopen
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-robots-tag: none
x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block

All headers are there two times. Please fix your webserver configuration.

#17341
#16893
#16893
#16476
#11531

https://help.nextcloud.com/t/cannot-get-rid-of-strict-transport-security-http-header-warning-message/21283/4
https://help.nextcloud.com/t/using-official-docker-image-getting-header-warnings-in-admin/15177

Please check https://help.nextcloud.com. Guess there are a few threads about issues like that. Closing this report as not a bug.

@kesselb kesselb closed this as completed Nov 19, 2019
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Jan 19, 2020
@zertrin
Use "setifempty" instead of "always set" in .htaccess
9399cbe 
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts.
Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area.
Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top.
See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017
@zertrin zertrin mentioned this issue Jan 19, 2020
Merged
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Jan 19, 2020
@zertrin
Use "setifempty" instead of "always set" in .htaccess
78000f0 
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts.
Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area.
Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top.
See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017

Signed-off-by: zertrin <zertrin@gmail.com>
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Jan 19, 2020
@zertrin
Use "setifempty" instead of "always set" in .htaccess
f7e14c9 
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts.
Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area.
Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top.
See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017

Signed-off-by: Marc Gallet <zertrin@gmail.com>
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Jan 19, 2020
@zertrin
Use "setifempty" instead of "always set" in .htaccess
0cb622b 
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts.
Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area.
Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top.
See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017

Signed-off-by: zertrin <zertrin@gmail.com>
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Jan 20, 2020
@zertrin
Use "setifempty" instead of "set" in .htaccess
aefa141 
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts.
Using "set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area.
Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top.
See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017

Signed-off-by: zertrin <zertrin@gmail.com>
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Jan 28, 2020
@zertrin
Fix security header setting in .htaccess by adding 'onsuccess unset'
9167f02 
The headers might already be set by the system administrator at the http server
level (apache or nginx) for some or all virtualhosts.

Using "always set" in the .htaccess of Nextcloud leads to the situation where
the headers might be set twice (once in the default 'onsuccess' table and once
in the 'always' table)! Which leads to warnings in the admin area.

Adding "onsuccess unset" solves the problem, and forces the header in
the 'onsucess' table to be unset, and the header in the 'always' table to be set.

NOTE: with this change, Nextcloud overrides whatever the system administrator
might have already set

See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002

Signed-off-by: zertrin <zertrin@gmail.com>
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Jan 28, 2020
@zertrin
Fix security header setting in .htaccess by adding 'onsuccess unset'
17e6485 
The headers might already be set by the system administrator at the http server
level (apache or nginx) for some or all virtualhosts.

Using "always set" in the .htaccess of Nextcloud leads to the situation where
the headers might be set twice (once in the default 'onsuccess' table and once
in the 'always' table)! Which leads to warnings in the admin area.

Adding "onsuccess unset" solves the problem, and forces the header in
the 'onsucess' table to be unset, and the header in the 'always' table to be set.

NOTE: with this change, Nextcloud overrides whatever the system administrator
might have already set

See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002

Signed-off-by: zertrin <zertrin@gmail.com>
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Mar 5, 2020
@zertrin
Fix security header setting in .htaccess by adding 'onsuccess unset'
4505af9 
The headers might already be set by the system administrator at the http server
level (apache or nginx) for some or all virtualhosts.

Using "always set" in the .htaccess of Nextcloud leads to the situation where
the headers might be set twice (once in the default 'onsuccess' table and once
in the 'always' table)! Which leads to warnings in the admin area.

Adding "onsuccess unset" solves the problem, and forces the header in
the 'onsucess' table to be unset, and the header in the 'always' table to be set.

NOTE: with this change, Nextcloud overrides whatever the system administrator
might have already set

See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002

Signed-off-by: zertrin <zertrin@gmail.com>
zertrin added a commit to zertrin/nextcloud-server that referenced this issue Mar 5, 2020
@zertrin
Fix security header setting in .htaccess by adding 'onsuccess unset'
af5380f 
The headers might already be set by the system administrator at the http server
level (apache or nginx) for some or all virtualhosts.

Using "always set" in the .htaccess of Nextcloud leads to the situation where
the headers might be set twice (once in the default 'onsuccess' table and once
in the 'always' table)! Which leads to warnings in the admin area.

Adding "onsuccess unset" solves the problem, and forces the header in
the 'onsucess' table to be unset, and the header in the 'always' table to be set.

NOTE: with this change, Nextcloud overrides whatever the system administrator
might have already set

See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002

Signed-off-by: zertrin <zertrin@gmail.com>
@MichaIng MichaIng linked a pull request Mar 5, 2020 that will close this issue
Fix security header setting in .htaccess by adding 'onsuccess unset' #19002
Merged
backportbot-nextcloud bot pushed a commit that referenced this issue Apr 25, 2020
@zertrin @backportbot
Fix security header setting in .htaccess by adding 'onsuccess unset'
814f19a 
The headers might already be set by the system administrator at the http server
level (apache or nginx) for some or all virtualhosts.

Using "always set" in the .htaccess of Nextcloud leads to the situation where
the headers might be set twice (once in the default 'onsuccess' table and once
in the 'always' table)! Which leads to warnings in the admin area.

Adding "onsuccess unset" solves the problem, and forces the header in
the 'onsucess' table to be unset, and the header in the 'always' table to be set.

NOTE: with this change, Nextcloud overrides whatever the system administrator
might have already set

See github issues #16893 #16476 #16938 #18017 and discussion in PR #19002

Signed-off-by: zertrin <zertrin@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix security header setting in .htaccess by adding 'onsuccess unset' zertrin/nextcloud-server
2 participants
@avuton @kesselb