X-Frame error SAMEORIGIN

9.0.x
hosting

#1

Hi all

Hosting my own ownCloud server and it works very well... Love it... However....
I logged in as admin today and had my first error...

The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

I have tried to do some research on this and not found a definitive workaround or even if I should be concerned so thought I'd try here...

I have checked my ownCloud .htaccess file and the x-frame-option is set to SAMEORIGIN


# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
SetEnv modHeadersAvailable true

Should I be concerned about this error? I have looked around and there are conflicting views. My server is 9.0.9 stable. If anyone can help or point me in the right direction I'd appreciate it..

Best wishes to all

Del


#2

As you have also posted https://central.owncloud.org/t/server-9-0-9-only-error/7755 the root cause is most likely the same:

  1. Your webserver is not using .htaccess files at all
  2. You don't have the needed headers module enabled

As both messages are nothing ownCloud specific and the configuration heavily depends on your used webserver (ownCloud just gives you generic hints about possible webserver configuration hardening) its highly recommended that you're asking for more support in a forums dedicated to your used webserver.