Broken lighttpd config for nextcloud (missing Referrer, duplicate X-Frame-Options)
The file /etc/lighttpd/conf.d/nextcloud
shipped with the Turris nextcloud package contains a subtly broken configuration with Nextcloud 14.04. After upgrading to Nextcloud 14.04 the "Security & setup warnings" page complains about the following headers:
- Referrer-Policy which is considered missing. Checking with the network inspector tool of chromium confirms its absence from response headers.
- X-Frame-Options which is considered missing as well. Checking with the network inspector tools of chromium reveals, in fact, two "X-Frame-Options" headers among the response headers.
This can be resolved by editing /etc/lighttpd/conf.d/nextcloud
:
alias.url += ( "/nextcloud" => "/srv/www/nextcloud" )
$HTTP["url"] =~ "^/nextcloud" {
# Avoid possibly leaking sensitive URLs when clicking links to external resources from within nextcloud
# This example requests that browsers always omit the Referrer header when navigating away from nextcloud
setenv.add-response-header += ( "Referrer-Policy" => "no-referrer")
}
$HTTP["url"] =~ "^/nextcloud/(build|tests|config|lib|3rdparty|templates|data)" {
url.access-deny = ("")
}
Note that the X-Frame-Options
header was removed and the Referrer-Policy
added.