Fix security header setting in .htaccess by adding 'onsuccess unset'

The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002 Signed-off-by: zertrin <zertrin@gmail.com>
zertrin · Mar 5, 2020 · 4505af9 · 4505af9
1 parent 48b374f
commit 4505af9
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/.htaccess b/.htaccess
@@ -11,13 +11,34 @@
 
   <IfModule mod_env.c>
     # Add security and privacy related headers
+
+    # For each header, we need two directives
+    # because Apache stores the headers in two separate tables.
+    # Headers might already be set by the server administrator unbeknown to Nextcloud.
+    # This guarantees that the header set in the 'onsuccess' table is removed,
+    # and the one set in the 'always' table is added (or replaced if already set).
+    # See https://github.com/nextcloud/server/pull/19002 for the associated discussion.
+    Header onsuccess unset Referrer-Policy
     Header always set Referrer-Policy "no-referrer"
+
+    Header onsuccess unset X-Content-Type-Options
     Header always set X-Content-Type-Options "nosniff"
+
+    Header onsuccess unset X-Download-Options
     Header always set X-Download-Options "noopen"
+
+    Header onsuccess unset X-Frame-Options
     Header always set X-Frame-Options "SAMEORIGIN"
+
+    Header onsuccess unset X-Permitted-Cross-Domain-Policies
     Header always set X-Permitted-Cross-Domain-Policies "none"
+
+    Header onsuccess unset X-Robots-Tag
     Header always set X-Robots-Tag "none"
+
+    Header onsuccess unset X-XSS-Protection
     Header always set X-XSS-Protection "1; mode=block"
+
     SetEnv modHeadersAvailable true
   </IfModule>