The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN".

[bakkerl]

Steps to reproduce

1. Install nextcloud, latest version 13.0.0.0
2. Configure apache to have 'X-Frame-Options: SAMEORIGIN' set as header
3. View the admin settting. Admin page will give X-Frame-Options error: "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly."
4. https://scan.nextcloud.com resports green on "X-Frame-Options" result.
5. Make sure Chrome developtools shows "X-Frame-Options: SAMEORIGIN" in header.

Expected behaviour

No warning message about X-Frame-Options

Actual behaviour

Admin page will give X-Frame-Options error: "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly."

Server configuration

**Operating system: CentOS Linux release 7.4.1708 (Core)
**Web server: Server version: Apache/2.4.29 (Unix)
**Database: mysql Ver 15.1 Distrib 5.5.41-MariaDB, for Linux (x86_64) using readline 5.1
**PHP version: PHP 7.1.14 (cli) (built: Feb 3 2018 09:42:33) ( NTS )
**Nextcloud version: 13.0.0
**Updated from an older Nextcloud/ownCloud or fresh install: update from older version, from 11 up to current.
**Where did you install Nextcloud from: https://nextcloud.com/install/

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.
"No errors have been found."
</details>

**List of activated apps:**
<details>
<summary>App list</summary>
Enabled:
  - activity: 2.6.1
  - admin_audit: 1.3.0
  - bruteforcesettings: 1.0.3
  - comments: 1.3.0
  - dav: 1.4.6
  - federatedfilesharing: 1.3.1
  - federation: 1.3.0
  - files: 1.8.0
  - files_pdfviewer: 1.2.0
  - files_retention: 1.2.0
  - files_sharing: 1.5.0
  - files_texteditor: 2.5.1
  - files_trashbin: 1.3.0
  - files_versions: 1.6.0
  - files_videoplayer: 1.2.0
  - firstrunwizard: 2.2.1
  - gallery: 18.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.1.0
  - nextcloud_announcements: 1.2.0
  - notifications: 2.1.2
  - oauth2: 1.1.0
  - password_policy: 1.3.0
  - provisioning_api: 1.3.0
  - serverinfo: 1.3.0
  - sharebymail: 1.3.0
  - survey_client: 1.1.0
  - systemtags: 1.3.0
  - theming: 1.4.1
  - twofactor_backupcodes: 1.2.3
  - updatenotification: 1.3.0
  - workflowengine: 1.3.0
Disabled:
  - caniupdate
  - encryption
  - files_external
  - user_external
  - user_ldap
</details>

**Nextcloud configuration:**
<details>
<summary>Config report</summary>
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "lannerd.cyberbunker.nl"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/lannerd.cyberbunker.nl",
        "dbtype": "mysql",
        "version": "13.0.0.14",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "log_type": "owncloud",
        "logfile": "\/home\/lannerd\/domains\/lannerd.cyberbunker.nl\/owncloud.l                                                                                        og",
        "loglevel": 0,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "php",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "theme": "",
        "maintenance": false,
        "user_backends": [
            {
                "class": "OCA\\ZimbraDrive\\Auth\\ZimbraUsersBackend",
                "arguments": []
            }
        ]
    }
}

</details>

**Are you using external storage, if yes which one: local
**Are you using encryption: no
**Are you using an external user-backend, if yes which one: Zimbra (disabled)


### Client configuration
**Browser: Chrome
**Operating system: Windows 10

### Logs
#### Web server error log
<details>
<summary>Web server error log</summary>
</details>

#### Nextcloud log (data/nextcloud.log)
<details>
<summary>Nextcloud log</summary>
</details>

#### Browser log
<details>
<summary>Browser log</summary>

Insert your browser log here, this could for example include:
HTTP/1.1 200 OK
Date: Mon, 26 Feb 2018 18:51:22 GMT
Server: Apache/2
Strict-Transport-Security: max-age=31536000; includeSubDomains
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-ZEJsL2JITVdsWVdRNW56WVpjb202dHlEdzBKUWNFZXdTRVN2a3phVGJiST06SlZZTkdrQlY0Ynp6Z1NpMUxvaEsyWmZSbFRZWFBpVGFJQ3VjOFZMd1h0Yz0=' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Length: 6095
Keep-Alive: timeout=2, max=100
Content-Type: text/html; charset=UTF-8

[MorrisJobke]

Configure apache to have 'X-Frame-Options: SAMEORIGIN' set as header

This should not be set in the web server, because we also set it in PHP - see #8207 for the full discussion about detecting this. As of now you should just remove it from the web server config and all should be fine. We are looking into detecting if it is set by the web server and then disable the PHP code for this.

[MorrisJobke]

Closing as duplicate of #8207

[bakkerl]

Hello, If i remove it from the apache config, then it doesn't show in Chrome developer consonsole and scan.nextcloud.com fails on the X-Frame-Options options. So if the solution is to remove it from apache/webserver config, i need to create a new bug, because the header isnit added by nextcloud itself. Lennard Van: "Morris Jobke" <notifications@github.com> Aan: "nextcloud/server" <server@noreply.github.com> Cc: "Lennard Bakker" <bakkerl@lannerd.nl>, "Author" <author@noreply.github.com> Verzonden: Dinsdag 27 februari 2018 09:49:59 Onderwerp: Re: [nextcloud/server] The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". (#8550) Configure apache to have 'X-Frame-Options: SAMEORIGIN' set as header This should not be set in the web server, because we also set it in PHP - see [ #8207 | #8207 ] for the full discussion about detecting this. As of now you should just remove it from the web server config and all should be fine. We are looking into detecting if it is set by the web server and then disable the PHP code for this. — You are receiving this because you authored the thread. Reply to this email directly, [ #8550 (comment) | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/AKwjf1QwbXzWOJZ1HeBeth6Rl1EoZtmoks5tY8G3gaJpZM4STxKi | mute the thread ] .

[Grimeton]

It seems like modHeadersAvailable is not recognized for the X-Frame-Options header. Deactivating it in the server's settings, let's all kinds of header errors pop up again. Reactivating it again and the errors go away except for the X-Frame-Options problem.

Also the header is in the response of the server, but it's still shown as a problem on the scan.nextcloud.com website. Which is weird. I know for a fact that my webserver always servers its headers...

I guess that's caused by the header showing up multiple times?

[kesselb]

If the header is defined by nginx.conf remove it.

[Grimeton]

@danielkesselberg been there. done that. doesn't change a thing.

[kesselb]

Hmm. We usually use the forum for configuration issues. It sounds like that somehow. If you think this is a software issue I would like to ask you to open a new issue because this one is closed. Thank you!

[vandman]

Nextcloud 15.0.2
I get the message: The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"
I tried to set it into apache (Apache/2.4.25 (Debian)):

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

It did not change anything???
Any clue???

[baoang]

Nextcloud 15.0.2
I get the message: The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"
I tried to set it into apache (Apache/2.4.25 (Debian)):

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

It did not change anything???
Any clue???

Mine is Nginx, and I am running NC 14, the same reminder appeared recently while it didn't for a long time since I upgraded to NC 14.

My Nginx ver is 1.14.2

[kesselb]

This should not be set in the web server, because we also set it in PHP - see #8207 for the full discussion about detecting this. As of now you should just remove it from the web server config and all should be fine. We are looking into detecting if it is set by the web server and then disable the PHP code for this.

See #8207 for more details and possible workarounds.

server/lib/private/legacy/response.php

Line 97 in 554c78c

header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains

X-Frame-Options is added to every request by nextcloud. There are several ways to fix this:

• Don't set X-Frame-Options in your webserver configuration.
• If you want to keep it in your webserver configuration. Nginx: proxy_hide_header X-Frame-Options; suppress header. Apache2: Header always set X-Frame-Options "SAMEORIGIN" overwrite header.