Tag Archives: sameorigin

Nextcloud: The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN” (even if it is)

An interesting anecdote from my work with Nextcloud. In the backend, they offer a “Security- and configuration check” which proposes some tips and recommendations to take with your Nextcloud server instance.

After completing all tasks listed, one persisted:

The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN”. This is a potential security or privacy risk, and we recommend changing this setting.

Nextcloud Admin Backend -> Overview

As this is an easy check, I opened the developer console of my browser and checked if the header was set. And it was. Weird? At that point, I was pretty certain that something with the detection of that header was wrong, but I could not point it out immediately.

After researching online and fiddling with this for at least an hour, likely more, I decided to utilize the scan.nextcloud.com security scanner to ensure the warning is also shown there. Now the fun part: The scanner showed the warning too, but with cached data from last year. After re-scanning and getting an A+ on the scanner, the warning also disappeared in the Nextcloud backend.

Likely the Nextcloud backend check relies on the same dataset that scan.nextcloud.com uses and by re-doing the security check manually on scan.nextcloud.com, the warning disappeared. No need to fiddle with any webserver-configs, since Nextcloud in all newer versions sets the X-Frame-Options header correctly by itself.