From 9399cbe662b03bf193b5af7f0f991a09930c5451 Mon Sep 17 00:00:00 2001 From: zertrin Date: Sun, 19 Jan 2020 23:53:08 +0800 Subject: [PATCH] Use "setifempty" instead of "always set" in .htaccess The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area. Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top. See github issues #16893 #16476 #16938 #18017 --- .htaccess | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.htaccess b/.htaccess index 8b91422755c22..e5545a46b15ac 100644 --- a/.htaccess +++ b/.htaccess @@ -11,13 +11,13 @@ # Add security and privacy related headers - Header always set Referrer-Policy "no-referrer" - Header always set X-Content-Type-Options "nosniff" - Header always set X-Download-Options "noopen" - Header always set X-Frame-Options "SAMEORIGIN" - Header always set X-Permitted-Cross-Domain-Policies "none" - Header always set X-Robots-Tag "none" - Header always set X-XSS-Protection "1; mode=block" + Header setifempty Referrer-Policy "no-referrer" + Header setifempty X-Content-Type-Options "nosniff" + Header setifempty X-Download-Options "noopen" + Header setifempty X-Frame-Options "SAMEORIGIN" + Header setifempty X-Permitted-Cross-Domain-Policies "none" + Header setifempty X-Robots-Tag "none" + Header setifempty X-XSS-Protection "1; mode=block" SetEnv modHeadersAvailable true