Issue because enforcing security header

[Beanux]

Before reading further, i know this bug has already been reported, all have been close by "disable your header in security.conf".

Steps to reproduce

Load Admin page

Expected behaviour

No erreur at all

Actual behaviour

Get Warning about 3 headers X-XSS-Protection, X-Content-Type-Options, X-Frame-Options telling they are not set, but they are twice.

Issue discution

The issue is not only that they are set twice, but it's also the warning that it's said "not enabled".
It's twice because inserted once by my conf, and it need to be set for the many other hosted web apps that doesn't have your security concern, a because inserted dynamically in php by Nextcloud.

I've tried to change a bit my conf instead of a simple set, set a merge:
Header always set XXX XXX
becoming:
Header always merge XXX XXX

But it's not working.

So, i would like to know if it's do-able to not enforce by default the config (a check of the header before setting it as the same value).
Or if setting the header twice should still work, then make a smarter test and look if the needed value is present or at the end.

Yes i can insert some exception in my security.conf, like for nextcloud location do not set header, but this is dirty to set this kind of thing inside this kind of conf.

General server configuration

Operating system: Linux web2 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u1 (2017-06-18) x86_64

Web server: Apache (apache2handler)

Database: pgsql PostgreSQL 9.6.4 on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18) 6.3.0 20170516, 64-bit

PHP version: 7.0.19-1

PHP-modules loaded

 - Core
 - date
 - libxml
 - openssl
 - pcre
 - zlib
 - filter
 - hash
 - Reflection
 - SPL
 - session
 - standard
 - apache2handler
 - PDO
 - xml
 - bcmath
 - bz2
 - calendar
 - ctype
 - curl
 - dom
 - mbstring
 - fileinfo
 - ftp
 - gd
 - gettext
 - gmp
 - iconv
 - igbinary
 - imagick
 - intl
 - json
 - exif
 - mcrypt
 - pdo_pgsql
 - pdo_sqlite
 - pgsql
 - Phar
 - posix
 - readline
 - redis
 - shmop
 - SimpleXML
 - smbclient
 - sockets
 - sqlite3
 - sysvmsg
 - sysvsem
 - sysvshm
 - tokenizer
 - wddx
 - xmlreader
 - xmlwriter
 - xsl
 - zip
 - libsmbclient
 - Zend OPcache

Nextcloud configuration

Nextcloud version: 12.0.3 - 12.0.3.3

Updated from an older Nextcloud/ownCloud or fresh install: YOUR ANSWER HERE

Where did you install Nextcloud from: YOUR ANSWER HERE

Are you using external storage, if yes which one: Array
(
[0] => \OC\Files\Storage\Local
[1] => \OCA\Files_External\Lib\Storage\FTP
[2] => \OC\Files\Storage\DAV
[3] => \OCA\Files_External\Lib\Storage\OwnCloud
[4] => \OCA\Files_External\Lib\Storage\SFTP
[5] => \OCA\Files_External\Lib\Storage\AmazonS3
[6] => \OCA\Files_External\Lib\Storage\Dropbox
[7] => \OCA\Files_External\Lib\Storage\Google
[8] => \OCA\Files_External\Lib\Storage\Swift
[9] => \OCA\Files_External\Lib\Storage\SFTP
[10] => \OCA\Files_External\Lib\Storage\SMB
[11] => \OCA\Files_External\Lib\Storage\SMB
)

Are you using encryption: no

Are you using an external user-backend, if yes which one: YOUR ANSWER HERE (LDAP/ActiveDirectory/Webdav/...)

Signing status

[]

Enabled apps

 - activity: 2.5.2
 - admin_audit: 1.2.0
 - bruteforcesettings: 1.0.2
 - calendar: 1.5.5
 - circles: 0.12.4
 - comments: 1.2.0
 - contacts: 1.5.3
 - dav: 1.3.0
 - external: 2.0.3
 - federatedfilesharing: 1.2.0
 - federation: 1.2.0
 - files: 1.7.2
 - files_accesscontrol: 1.2.5
 - files_external: 1.3.0
 - files_pdfviewer: 1.1.1
 - files_sharing: 1.4.0
 - files_texteditor: 2.4.1
 - files_trashbin: 1.2.0
 - files_versions: 1.5.0
 - files_videoplayer: 1.1.0
 - firstrunwizard: 2.1
 - gallery: 17.0.0
 - groupfolders: 1.1.0
 - issuetemplate: 0.2.2
 - logreader: 2.0.0
 - lookup_server_connector: 1.0.0
 - metadata: 0.5.0
 - music: 0.5.2
 - nextcloud_announcements: 1.1
 - notes: 2.3.1
 - notifications: 2.0.0
 - oauth2: 1.0.5
 - password_policy: 1.2.2
 - provisioning_api: 1.2.0
 - quota_warning: 1.1.0
 - registration: 0.3.0
 - serverinfo: 1.2.0
 - sharebymail: 1.2.0
 - socialsharing_diaspora: 1.0.1
 - socialsharing_facebook: 1.0.1
 - socialsharing_twitter: 1.0.1
 - spreed: 2.0.1
 - survey_client: 1.0.0
 - systemtags: 1.2.0
 - theming: 1.3.0
 - twofactor_backupcodes: 1.1.1
 - twofactor_totp: 1.3.1
 - updatenotification: 1.2.0
 - workflowengine: 1.2.0

Disabled apps

 - checksum
 - deck
 - encryption
 - ojsxc
 - user_external
 - user_ldap

Content of config/config.php

{
    "instanceid": "ocdlzdmhtocg",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "***REMOVED SENSITIVE VALUE***"
    ],
    "datadirectory": "\/data\/web\/nextcloud",
    "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "pgsql",
    "version": "12.0.3.3",
    "dbname": "nxtclddb",
    "dbhost": "localhost:5432",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "mail_from_address": "admin",
    "mail_smtpmode": "php",
    "mail_smtpauthtype": "LOGIN",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "filelocking.enabled": "true",
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "localhost",
        "port": 6379,
        "dbindex": 0,
        "timeout": 1.5
    },
    "mail_smtpsecure": "tls",
    "mail_smtpauth": 1,
    "maintenance": false,
    "updater.secret": "***REMOVED SENSITIVE VALUE***",
    "theme": "",
    "loglevel": 2
}

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0

Operating system: YOUR ANSWER HERE

Logs

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Insert your Nextcloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[8h2a]

I have the same issue that all security related http headers are set twice, because I have a global webserver config which sets those headers, but nextcloud seems to append their own headers.
This results in headers like: X-Robots-Tag: none, none
And warning messages like the following:
The "X-Robots-Tag" HTTP header is not configured to equal to "none". This is a potential security or privacy risk and we recommend adjusting this setting.

The only known workaround for this would be to unset those headers in my webserver config for the nextcloud directory/subdomain. But this is an ugly workaround because now we're assuming that nextcloud sets these headers properly.
It would be much nicer to have an improved header check in nextcloud.

[Beanux]

Yes, that's not the 1st ticket about that, and it w'ont be the last.
I'm not enough familiar with nextcloud and development to try by my own a patch, even if i discovered where this is implemented.

[J0WI]

See also #8207

[skjnldsv]

@blizzz @MorrisJobke @rullzer any clues? Shall we keep this issue? close?

[kesselb]

Looks like a duplicate of #8207 as @J0WI found.

[skjnldsv]

closing then