Please help us by providing the following info. Before posting please also check the pinned "Known issues" threads and make sure that you're running the latest available version for your oC release: https://owncloud.org/changelog/
Background
I am running a Docker image for LetsEncrypt, a mySQL Docker, and OwnCloud on a Ubuntu 16.10 VM. The local OC works as expected, http:// localhost/owncloud as well as externally via https:// domain.net/owncloud. The issue is that I am getting the following security errors:
The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
I have added the following lines in various places:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
Including server and location blocks
location /owncloud {
#rewrite /owncloud/(.*) /$1 break;
#rewrite ^/owncloud$ /owncloud/ permanent;
proxy_pass http://10.0.0.54:80;
#proxy_redirect / /owncloud/;
proxy_set_header Host $host;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
location /owncloud/owncloud {
return 301 https://domain.net/owncloud;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
}
Steps to reproduce
1. Login and go to admin page
2.
3.
Expected behaviour
I would like for the security warnings to be addressed
Actual behaviour
In the admin page I am getting the following warning
The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
Server configuration
Operating system: Ubuntu
Web server:Apache locally running http and externally facing LetsEncrypt/Nginx
Database: mySQL
PHP version: whatever is bundled with OC 9.1.x
ownCloud version (see ownCloud admin page): current 9.1.x
Updated from an older ownCloud or fresh install:
Special configuration (external storage, external authentication, reverse proxy, server-side-encryption):
Integrity status for oC9+
Thanks for any help you can offer!