Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Misleading warning regarding X-Robots-Tags #37355

Closed
6 of 9 tasks
Whissi opened this issue Mar 22, 2023 · 5 comments
Closed
6 of 9 tasks

[Bug]: Misleading warning regarding X-Robots-Tags #37355

Whissi opened this issue Mar 22, 2023 · 5 comments
Labels
26-feedback

Comments

@Whissi
Copy link

Whissi commented Mar 22, 2023

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration/webserver/proxy issue.
  • This issue is not already reported on Github (I've searched it).
  • Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • I agree to follow Nextcloud's Code of Conduct.

Bug description

After upgrading to Nextcloud v26.0.0, I am getting the "Security & setup warning"

The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

However, I configured my instance already to send

X-Robots-Tag: none

which is the same like sending "noindex, nofollow", see https://developers.google.com/search/docs/advanced/robots/robots_meta_tag?hl=de#none

Steps to reproduce

  1. Install Nextcloud v26.0.0
  2. Configure your webserver to send header "X-Robots-Tag: none" for your Nextcloud instance
  3. Check with /settings/admin/overview for warnings

Expected behavior

No warning at all.

Installation method

Community Manual installation with Archive

Operating system

Other

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

No response

List of activated Apps

Enabled:
  - activity: 2.18.0
  - admin_audit: 1.16.0
  - bookmarks: 13.0.1
  - circles: 26.0.0
  - cloud_federation_api: 1.9.0
  - contactsinteraction: 1.7.0
  - dashboard: 7.6.0
  - dav: 1.25.0
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.1
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.1
  - firstrunwizard: 2.15.0
  - groupfolders: 14.0.0
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - nextcloud_announcements: 1.15.0
  - notifications: 2.14.0
  - notify_push: 0.6.0
  - oauth2: 1.14.0
  - password_policy: 1.16.0
  - photos: 2.2.0
  - privacy: 1.10.0
  - provisioning_api: 1.16.0
  - recommendations: 1.5.0
  - related_resources: 1.1.0-alpha1
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - support: 1.9.0
  - survey_client: 1.14.0
  - systemtags: 1.16.0
  - text: 3.7.2
  - theming: 2.1.1
  - twofactor_backupcodes: 1.15.0
  - twofactor_totp: 8.0.0-alpha.0
  - updatenotification: 1.16.0
  - user_status: 1.6.0
  - viewer: 1.10.0
  - weather_status: 1.6.0
  - workflowengine: 2.8.0
Disabled:
  - bruteforcesettings: 2.6.0
  - comments: 1.16.0 (installed 1.3.0)
  - encryption: 2.14.0
  - files_external: 1.18.0
  - suspicious_login: 4.4.0
  - user_ldap: 1.16.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response
@Whissi Whissi added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Mar 22, 2023
@szaimen
Copy link
Contributor

szaimen commented Mar 22, 2023

cc @MichaIng

@Whissi
Copy link
Author

Whissi commented Mar 22, 2023

According to #36689 you changed from "none" to "noindex, nofollow" on purpose due to unknown support status beside Google. Tough question if you still want to accept "none" in that case...

@MichaIng
Copy link
Member

MichaIng commented Mar 22, 2023
edited
Loading

which is the same like sending "noindex, nofollow"

Only for Google, not for all search engines. Please read the info and links given in the PR. I can in fact verify this with Bing. I was always wondering why some pages on our website were kept in the Bing index, and after changing the header, they started to be taken out of the index.

Tough question if you still want to accept "none" in that case...

I think it is irresponsible to leave private Nextcloud instances knowingly exposed to search engines. It is a single header change, and it does not break Nextcloud if you do not change it, it is just a totally correct warning that your privacy is currently not assured.

@MichaIng MichaIng removed bug 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Mar 22, 2023
@Whissi
Copy link
Author

Whissi commented Mar 22, 2023

Well, in #36689 (comment) you posted the idea of showing a different message which would be a good idea...

@MichaIng
Copy link
Member

MichaIng commented Mar 22, 2023
edited
Loading

It was a suggestion which no one responded to. If more people keep asking about it, I may reconsider, but you do know about it now, so no need to add it for you 😉. But I added it to #34692.

@MichaIng MichaIng mentioned this issue Mar 24, 2023
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
26-feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Whissi @MichaIng @szaimen