From aefa14167a72c3175560133ce410650314973674 Mon Sep 17 00:00:00 2001 From: zertrin Date: Sun, 19 Jan 2020 23:53:08 +0800 Subject: [PATCH] Use "setifempty" instead of "set" in .htaccess The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "set" in the .htaccess of Nextcloud leads to the situation where the headers are set twice! Which leads to warnings in the admin area. Using "setifempty" solves the problem. In the default case where the system admin didn't do anything, Nextcloud will add them automatically. On the other hand, when the system administrator has already set security headers, we should not add ours on top. See github issues #16893 #16476 #16938 #18017 Signed-off-by: zertrin --- .htaccess | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.htaccess b/.htaccess index 8b91422755c22..ce58fb2e87590 100644 --- a/.htaccess +++ b/.htaccess @@ -11,13 +11,13 @@ # Add security and privacy related headers - Header always set Referrer-Policy "no-referrer" - Header always set X-Content-Type-Options "nosniff" - Header always set X-Download-Options "noopen" - Header always set X-Frame-Options "SAMEORIGIN" - Header always set X-Permitted-Cross-Domain-Policies "none" - Header always set X-Robots-Tag "none" - Header always set X-XSS-Protection "1; mode=block" + Header always setifempty Referrer-Policy "no-referrer" + Header always setifempty X-Content-Type-Options "nosniff" + Header always setifempty X-Download-Options "noopen" + Header always setifempty X-Frame-Options "SAMEORIGIN" + Header always setifempty X-Permitted-Cross-Domain-Policies "none" + Header always setifempty X-Robots-Tag "none" + Header always setifempty X-XSS-Protection "1; mode=block" SetEnv modHeadersAvailable true