X-Content-Type-Options and X-Frame-Options warnings for nginx rev proxy

webserver_issue

#1

Hello, just now setting up ownCloud on a LAMP stack / Ubuntu 14 behind a nginx reverse proxy. I can't seem to resolve the following warnings / security holes:

  • The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
  • The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

Here's the apache2.conf header block I added:

<IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff
  Header always append X-Frame-Options SAMEORIGIN
</IfModule>

For the nginx reverse proxy configuration, here's the Location block from the pertinent site enabled config:

            location / {
                    proxy_set_header X-Frame-Options SAMEORIGIN;
                    proxy_set_header X-Content-Type-Options nosniff;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-Host $server_name;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header Host $host;
                    proxy_pass http://10.0.0.100:80;
            }

What am I missing?


#2

Hi,

make sure that you're not setting the header twice (check with curl).

Also moving to the Miscellenaous category as this is more a webserver related question. You might also need to get some help from a community dedicated to your webservers.


#3

Hello,
i've got the same problem in apache2, i can't seem to solve the described warnings

anyone solved this?
how to check with curl if i'm setting headers twice?