How to fix warnings on X-XSS-Protection" HTTP & Strict-Transport-Security" HTTP

Hello!

Steps to reproduce

1. Install owncloud via digitalocean one-click marketplace
2. As admin login to owncloud > General tab

Expected behaviour

No warnings should be displayed

Actual behaviour

Security & setup warnings:

• The “X-XSS-Protection” HTTP header is not configured to equal to “0”. This is a potential security or privacy risk and we recommend adjusting this setting.
• The “Strict-Transport-Security” HTTP header is not configured to at least “15552000” seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

Server configuration

Operating system:
Ubuntu 20.04 x64

Web server:

Database:

PHP version:
7.4.20

ownCloud version: (see ownCloud admin page)
10.7.0.4

Updated from an older ownCloud or fresh install:

Where did you install ownCloud from:
DigitalOcean

Question:
I believe this should be a known issue, so I just wanted to ask which files in the server I should update.

Thanks!

Hey,

it seems the ownCloud people are providing extensive documentation how to solve these warnings in their documentation:

https://doc.owncloud.com/server/10.8/admin_manual/configuration/server/security_setup_warnings.html#the-strict-transport-security-http-header-is-not-configured

https://doc.owncloud.com/server/10.8/admin_manual/configuration/server/harden_server.html#serve-security-related-headers-by-the-web-server

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.