X-Content-Type-Options and X-Frame-Options warnings for nginx rev proxy

uotw · November 25, 2016, 2:04am

Hello, just now setting up ownCloud on a LAMP stack / Ubuntu 14 behind a nginx reverse proxy. I can’t seem to resolve the following warnings / security holes:

The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.

The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.

Here’s the apache2.conf header block I added:

<IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff
  Header always append X-Frame-Options SAMEORIGIN
</IfModule>

For the nginx reverse proxy configuration, here’s the Location block from the pertinent site enabled config:

            location / {
                    proxy_set_header X-Frame-Options SAMEORIGIN;
                    proxy_set_header X-Content-Type-Options nosniff;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-Host $server_name;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header Host $host;
                    proxy_pass http://10.0.0.100:80;
            }

What am I missing?

anon30676603 · November 25, 2016, 7:23am

Hi,

make sure that you’re not setting the header twice (check with curl).

Also moving to the Miscellenaous category as this is more a webserver related question. You might also need to get some help from a community dedicated to your webservers.

blast1987 · January 12, 2018, 11:34am

Hello,
i’ve got the same problem in apache2, i can’t seem to solve the described warnings

anyone solved this?
how to check with curl if i’m setting headers twice?

dpullia · August 3, 2020, 10:11am

Hi Everyone I run owncloud 10.4.1 and I find the following warning messages:
Security and configuration notices

We recommend enabling system cron since any other method has potential performance and reliability implications.
Some files failed the integrity check. More information on how to solve this problem is available in our documentation. (List of invalid files … / New scan …)
The “X-Content-Type-Options” HTTP header is not configured as “nosniff”. This is a potential risk of data security or confidentiality and we recommend changing this setting.
The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN”. This is a potential risk of data security or confidentiality and we recommend changing this setting.

How can I solve this kind of problem?
Thank you.

anon21401411 · August 9, 2020, 10:28am

Hey,

if i’m remembering correctly each text has a link to the documentation describing the steps required which i think should help to resolve these hints.

steve.tmq · April 18, 2022, 9:31am

It’s hard to know where to find info on how to solve such errors. I have found setting for “nosniff” all over the place.