X-Content-Type-Options and X-Frame-Options warnings for nginx rev proxy

Hello, just now setting up ownCloud on a LAMP stack / Ubuntu 14 behind a nginx reverse proxy. I can't seem to resolve the following warnings / security holes:

  • The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
  • The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

Here's the apache2.conf header block I added:

<IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff
  Header always append X-Frame-Options SAMEORIGIN
</IfModule>

For the nginx reverse proxy configuration, here's the Location block from the pertinent site enabled config:

            location / {
                    proxy_set_header X-Frame-Options SAMEORIGIN;
                    proxy_set_header X-Content-Type-Options nosniff;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-Host $server_name;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header Host $host;
                    proxy_pass http://10.0.0.100:80;
            }

What am I missing?

Hi,

make sure that you're not setting the header twice (check with curl).

Also moving to the Miscellenaous category as this is more a webserver related question. You might also need to get some help from a community dedicated to your webservers.

Hello,
i've got the same problem in apache2, i can't seem to solve the described warnings

anyone solved this?
how to check with curl if i'm setting headers twice?

Hi Everyone I run owncloud 10.4.1 and I find the following warning messages:
Security and configuration notices

  • We recommend enabling system cron since any other method has potential performance and reliability implications.

  • Some files failed the integrity check. More information on how to solve this problem is available in our documentation. (List of invalid files … / New scan …)

  • The “X-Content-Type-Options” HTTP header is not configured as “nosniff”. This is a potential risk of data security or confidentiality and we recommend changing this setting.

  • The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN”. This is a potential risk of data security or confidentiality and we recommend changing this setting.

How can I solve this kind of problem?
Thank you.

Hey,

if i’m remembering correctly each text has a link to the documentation describing the steps required which i think should help to resolve these hints.