summaryrefslogtreecommitdiffstats
path: root/.htaccess
diff options
context:
space:
mode:
authorzertrin <zertrin@gmail.com>2020-01-19 23:53:08 +0800
committerbackportbot[bot] <backportbot[bot]@users.noreply.github.com>2020-04-25 18:02:48 +0000
commit814f19ae67f53f8715b0e397c96f4a4466cf1dc5 (patch)
tree06b4f9ceda3f8e7485a5c2cee6e95ac666d8a81c /.htaccess
parent12ca86d8e25ffae0d9b0cac6fd4db2c0f1f4c650 (diff)
downloadnextcloud-server-814f19ae67f53f8715b0e397c96f4a4466cf1dc5.tar.gz
nextcloud-server-814f19ae67f53f8715b0e397c96f4a4466cf1dc5.zip
Fix security header setting in .htaccess by adding 'onsuccess unset'
The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues #16893 #16476 #16938 #18017 and discussion in PR #19002 Signed-off-by: zertrin <zertrin@gmail.com>
Diffstat (limited to '.htaccess')
-rw-r--r--.htaccess17
1 files changed, 17 insertions, 0 deletions
diff --git a/.htaccess b/.htaccess
index 8b91422755c..87280cc9e01 100644
--- a/.htaccess
+++ b/.htaccess
@@ -11,13 +11,30 @@
<IfModule mod_env.c>
# Add security and privacy related headers
+
+ # Avoid doubled headers by unsetting headers in "onsuccess" table,
+ # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
+ Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "no-referrer"
+
+ Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
+
+ Header onsuccess unset X-Download-Options
Header always set X-Download-Options "noopen"
+
+ Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
+
+ Header onsuccess unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"
+
+ Header onsuccess unset X-Robots-Tag
Header always set X-Robots-Tag "none"
+
+ Header onsuccess unset X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"
+
SetEnv modHeadersAvailable true
</IfModule>