Admin page will give X-Frame-Options error: "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly."
Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.
"No errors have been found."
</details>
**List of activated apps:**
<details>
<summary>App list</summary>
Enabled:
- activity: 2.6.1
- admin_audit: 1.3.0
- bruteforcesettings: 1.0.3
- comments: 1.3.0
- dav: 1.4.6
- federatedfilesharing: 1.3.1
- federation: 1.3.0
- files: 1.8.0
- files_pdfviewer: 1.2.0
- files_retention: 1.2.0
- files_sharing: 1.5.0
- files_texteditor: 2.5.1
- files_trashbin: 1.3.0
- files_versions: 1.6.0
- files_videoplayer: 1.2.0
- firstrunwizard: 2.2.1
- gallery: 18.0.0
- logreader: 2.0.0
- lookup_server_connector: 1.1.0
- nextcloud_announcements: 1.2.0
- notifications: 2.1.2
- oauth2: 1.1.0
- password_policy: 1.3.0
- provisioning_api: 1.3.0
- serverinfo: 1.3.0
- sharebymail: 1.3.0
- survey_client: 1.1.0
- systemtags: 1.3.0
- theming: 1.4.1
- twofactor_backupcodes: 1.2.3
- updatenotification: 1.3.0
- workflowengine: 1.3.0
Disabled:
- caniupdate
- encryption
- files_external
- user_external
- user_ldap
</details>
**Nextcloud configuration:**
<details>
<summary>Config report</summary>
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"lannerd.cyberbunker.nl"
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/lannerd.cyberbunker.nl",
"dbtype": "mysql",
"version": "13.0.0.14",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"log_type": "owncloud",
"logfile": "\/home\/lannerd\/domains\/lannerd.cyberbunker.nl\/owncloud.l og",
"loglevel": 0,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "php",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"theme": "",
"maintenance": false,
"user_backends": [
"class": "OCA\\ZimbraDrive\\Auth\\ZimbraUsersBackend",
"arguments": []
</details>
**Are you using external storage, if yes which one: local
**Are you using encryption: no
**Are you using an external user-backend, if yes which one: Zimbra (disabled)
### Client configuration
**Browser: Chrome
**Operating system: Windows 10
### Logs
#### Web server error log
<details>
<summary>Web server error log</summary>
</details>
#### Nextcloud log (data/nextcloud.log)
<details>
<summary>Nextcloud log</summary>
</details>
#### Browser log
<details>
<summary>Browser log</summary>
Insert your browser log here, this could for example include:
HTTP/1.1 200 OK
Date: Mon, 26 Feb 2018 18:51:22 GMT
Server: Apache/2
Strict-Transport-Security: max-age=31536000; includeSubDomains
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-ZEJsL2JITVdsWVdRNW56WVpjb202dHlEdzBKUWNFZXdTRVN2a3phVGJiST06SlZZTkdrQlY0Ynp6Z1NpMUxvaEsyWmZSbFRZWFBpVGFJQ3VjOFZMd1h0Yz0=' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Length: 6095
Keep-Alive: timeout=2, max=100
Content-Type: text/html; charset=UTF-8
Configure apache to have 'X-Frame-Options: SAMEORIGIN' set as header
This should not be set in the web server, because we also set it in PHP - see #8207 for the full discussion about detecting this. As of now you should just remove it from the web server config and all should be fine. We are looking into detecting if it is set by the web server and then disable the PHP code for this.
Hello,
If i remove it from the apache config, then it doesn't show in Chrome developer consonsole and scan.nextcloud.com fails on the X-Frame-Options options.
So if the solution is to remove it from apache/webserver config, i need to create a new bug, because the header isnit added by nextcloud itself.
Lennard
Van: "Morris Jobke" <
[email protected]>
Aan: "nextcloud/server" <
[email protected]>
Cc: "Lennard Bakker" <
[email protected]>, "Author" <
[email protected]>
Verzonden: Dinsdag 27 februari 2018 09:49:59
Onderwerp: Re: [nextcloud/server] The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". (
#8550)
This should not be set in the web server, because we also set it in PHP - see [
#8207 |
#8207 ] for the full discussion about detecting this. As of now you should just remove it from the web server config and all should be fine. We are looking into detecting if it is set by the web server and then disable the PHP code for this.
You are receiving this because you authored the thread.
Reply to this email directly, [
#8550 (comment) | view it on GitHub ] , or [
https://github.com/notifications/unsubscribe-auth/AKwjf1QwbXzWOJZ1HeBeth6Rl1EoZtmoks5tY8G3gaJpZM4STxKi | mute the thread ] .
It seems like modHeadersAvailable is not recognized for the X-Frame-Options header. Deactivating it in the server's settings, let's all kinds of header errors pop up again. Reactivating it again and the errors go away except for the X-Frame-Options problem.
Also the header is in the response of the server, but it's still shown as a problem on the scan.nextcloud.com website. Which is weird. I know for a fact that my webserver always servers its headers...
I guess that's caused by the header showing up multiple times?
Nextcloud 15.0.2
I get the message: The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"
I tried to set it into apache (Apache/2.4.25 (Debian)):
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set X-Frame-Options "SAMEORIGIN"
</IfModule>
It did not change anything???
Any clue???
Nextcloud 15.0.2
I get the message: The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"
I tried to set it into apache (Apache/2.4.25 (Debian)):
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set X-Frame-Options "SAMEORIGIN"
</IfModule>
It did not change anything???
Any clue???
Mine is Nginx, and I am running NC 14, the same reminder appeared recently while it didn't for a long time since I upgraded to NC 14.
My Nginx ver is 1.14.2
This should not be set in the web server, because we also set it in PHP - see #8207 for the full discussion about detecting this. As of now you should just remove it from the web server config and all should be fine. We are looking into detecting if it is set by the web server and then disable the PHP code for this.
See #8207 for more details and possible workarounds.
server/lib/private/legacy/response.php
Line 97
554c78c
X-Frame-Options is added to every request by nextcloud. There are several ways to fix this:
Don't set X-Frame-Options in your webserver configuration.
If you want to keep it in your webserver configuration. Nginx: proxy_hide_header X-Frame-Options; suppress header. Apache2: Header always set X-Frame-Options "SAMEORIGIN" overwrite header.
