[Bug]: scan.nextcloud.com checks for X-XSS-Protection #55526
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
If i run this on a NC32 Server it complains.
But NC32 states that XSS if obsolete: https://docs.nextcloud.com/server/latest/admin_manual/release_notes/upgrade_to_32.html#web-server-configuration
So maybe dont check for it anymore.
Steps to reproduce
- open a Browser and visit https://scan.nextcloud.com
- Check a NC32 instance
Expected behavior
A+ on latest patch level with good config.
Nextcloud Server version
32
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.4
Web server
Nginx
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 31 to 32)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
"stdout_lines": [
"{",
" \"system\": {",
" \"instanceid\": \"***REMOVED SENSITIVE VALUE***\",",
" \"passwordsalt\": \"***REMOVED SENSITIVE VALUE***\",",
" \"secret\": \"***REMOVED SENSITIVE VALUE***\",",
" \"datadirectory\": \"***REMOVED SENSITIVE VALUE***\",",
" \"loglevel\": 0,",
" \"logfile\": \"\\/data\\/nextcloud.log\",",
" \"log_rotate_size\": 1048576,",
" \"trashbin_retention_obligation\": \"90, 180\",",
" \"version\": \"32.0.0.13\",",
" \"installed\": true,",
" \"default_phone_region\": \"DE\",",
" \"maintenance\": false,",
" \"theme\": \"\",",
" \"filelocking.enabled\": true,",
" \"updater.release.channel\": \"stable\",",
" \"maintenance_window_start\": 5,",
" \"defaultapp\": \"\",",
" \"app_install_overwrite\": {",
" \"0\": \"files_retention\",",
" \"1\": \"drop_account\",",
" \"3\": \"checksum\",",
" \"4\": \"gluusso\",",
" \"5\": \"apporder\",",
" \"6\": \"side_menu\",",
" \"7\": \"end_to_end_encryption\",",
" \"8\": \"fulltextsearch_elasticsearch\",",
" \"9\": \"fulltextsearch\",",
" \"10\": \"files_fulltextsearch\",",
" \"11\": \"metadata\",",
" \"13\": \"flowupload\",",
" \"14\": \"duplicatefinder\",",
" \"15\": \"previewgenerator\",",
" \"16\": \"gpgmailer\",",
" \"17\": \"keeporsweep\",",
" \"18\": \"appointments\",",
" \"19\": \"files_antivirus\",",
" \"20\": \"riotchat\",",
" \"21\": \"news\",",
" \"22\": \"money\",",
" \"23\": \"uppush\",",
" \"24\": \"memories\",",
" \"25\": \"files_archive\",",
" \"26\": \"deck\",",
" \"27\": \"keeweb\"",
" },",
" \"memories.exiftool\": \"\\/var\\/www\\/apps\\/memories\\/bin-ext\\/exiftool-amd64-glibc\",",
" \"memories.vod.path\": \"\\/var\\/www\\/apps\\/memories\\/bin-ext\\/go-vod-amd64\",",
" \"enabledPreviewProviders\": [",
" \"OC\\\\Preview\\\\Image\",",
" \"OC\\\\Preview\\\\HEIC\",",
" \"OC\\\\Preview\\\\TIFF\",",
" \"OC\\\\Preview\\\\Movie\"",
" ],",
" \"preview_max_x\": 8192,",
" \"preview_max_y\": 8192,",
" \"preview_max_filesize_image\": 12,",
" \"memories.vod.disable\": false,",
" \"memories.vod.ffmpeg\": \"\\/bin\\/ffmpeg\",",
" \"memories.vod.ffprobe\": \"\\/bin\\/ffprobe\",",
" \"memories.video_default_quality\": \"-2\",",
" \"memories.db.triggers.fcu\": true,",
" \"twofactor_enforced\": \"false\",",
" \"twofactor_enforced_groups\": [],",
" \"twofactor_enforced_excluded_groups\": [],",
" \"auth.webauthn.enabled\": false,",
" \"memcache.local\": \"\\\\OC\\\\Memcache\\\\Redis\",",
" \"memcache.distributed\": \"\\\\OC\\\\Memcache\\\\Redis\",",
" \"memcache.locking\": \"\\\\OC\\\\Memcache\\\\Redis\",",
" \"redis\": {",
" \"host\": \"***REMOVED SENSITIVE VALUE***\",",
" \"port\": 6379,",
" \"timeout\": 1.5",
" },",
" \"dbtype\": \"pgsql\",",
" \"dbname\": \"***REMOVED SENSITIVE VALUE***\",",
" \"dbhost\": \"***REMOVED SENSITIVE VALUE***\",",
" \"dbport\": \"5432\",",
" \"dbtableprefix\": \"oc_\",",
" \"mysql.utf8mb4\": true,",
" \"dbuser\": \"***REMOVED SENSITIVE VALUE***\",",
" \"dbpassword\": \"***REMOVED SENSITIVE VALUE***\",",
" \"mail_smtpmode\": \"smtp\",",
" \"mail_sendmailmode\": \"smtp\",",
" \"mail_smtpauth\": 1,",
" \"mail_smtphost\": \"***REMOVED SENSITIVE VALUE***\",",
" \"mail_smtpport\": \"465\",",
" \"mail_domain\": \"***REMOVED SENSITIVE VALUE***\",",
" \"mail_from_address\": \"***REMOVED SENSITIVE VALUE***\",",
" \"mail_smtpname\": \"***REMOVED SENSITIVE VALUE***\",",
" \"mail_smtppassword\": \"***REMOVED SENSITIVE VALUE***\",",
" \"mail_send_plaintext_only\": true,",
" \"mail_smtpsecure\": \"ssl\",",
" \"trusted_domains\": [",
" \"***REMOVED SENSITIVE VALUE***\",",
" \"***REMOVED SENSITIVE VALUE***\"",
" ],",
" \"trusted_proxies\": \"***REMOVED SENSITIVE VALUE***\",",
" \"overwrite.cli.url\": \"https:\\/\\/***REMOVED SENSITIVE VALUE***\",",
" \"htaccess.RewriteBase\": \"\\/\",",
" \"overwriteprotocol\": \"https\",",
" \"files.chunked_upload.max_size\": 536870912",
" }",
"}"List of activated Apps
"stdout_lines": [
"Enabled:",
" - audioplayer: 3.5.1",
" - calendar: 6.0.0",
" - checksum: 1.2.6",
" - cloud_federation_api: 1.16.0",
" - contacts: 8.0.2",
" - dav: 1.34.2",
" - deck: 1.16.0",
" - federatedfilesharing: 1.22.0",
" - files: 2.4.0",
" - files_antivirus: 6.0.5",
" - files_downloadlimit: 5.0.0-dev.0",
" - files_fulltextsearch: 31.0.0",
" - files_pdfviewer: 5.0.0-dev.0",
" - files_reminders: 1.5.0",
" - files_sharing: 1.24.0",
" - files_trashbin: 1.22.0",
" - files_versions: 1.25.0",
" - fulltextsearch: 31.0.0",
" - fulltextsearch_elasticsearch: 31.0.0",
" - keeweb: 0.6.22",
" - lookup_server_connector: 1.20.0",
" - money: 0.30.0",
" - music: 2.3.0",
" - news: 27.0.0",
" - notes: 4.12.3",
" - notifications: 5.0.0-dev.0",
" - notify_push: 1.2.0",
" - oauth2: 1.20.0",
" - profile: 1.1.0",
" - provisioning_api: 1.22.0",
" - richdocuments: 9.0.0",
" - riotchat: 0.19.0",
" - settings: 1.15.1",
" - systemtags: 1.22.0",
" - text: 6.0.0-dev.0",
" - theming: 2.7.0",
" - twofactor_backupcodes: 1.21.0",
" - uppush: 2.3.1",
" - user_oidc: 8.0.0",
" - viewer: 5.0.0-dev.0",
" - workflowengine: 2.14.0",
"Disabled:",
" - activity: 5.0.0-dev.0 (installed 2.21.1)",
" - admin_audit: 1.22.0 (installed 1.19.0)",
" - app_api: 32.0.0 (installed 3.1.0)",
" - bruteforcesettings: 5.0.0-dev.0 (installed 2.2.0)",
" - circles: 32.0.0 (installed 29.0.0-dev)",
" - comments: 1.22.0 (installed 1.22.0)",
" - contactsinteraction: 1.13.1 (installed 1.10.0)",
" - dashboard: 7.12.0 (installed 7.1.0)",
" - encryption: 2.20.0",
" - federation: 1.22.0 (installed 1.11.0)",
" - files_external: 1.24.0 (installed 1.12.1)",
" - firstrunwizard: 5.0.0-dev.0 (installed 2.9.0)",
" - logreader: 5.0.0-dev.0 (installed 2.14.0)",
" - nextcloud_announcements: 4.0.0-dev.0 (installed 1.9.0)",
" - password_policy: 4.0.0-dev.0 (installed 1.19.0)",
" - photos: 5.0.0-dev.1 (installed 2.5.0)",
" - privacy: 4.0.0-dev.0 (installed 1.13.0)",
" - recommendations: 5.0.0-dev.0 (installed 1.1.0)",
" - related_resources: 3.0.0-dev.0 (installed 3.0.0-dev.0)",
" - serverinfo: 4.0.0-dev.0 (installed 1.19.0)",
" - sharebymail: 1.22.0 (installed 1.19.0)",
" - support: 4.0.0-dev.0 (installed 1.3.0)",
" - survey_client: 4.0.0-dev.0 (installed 1.8.0)",
" - suspicious_login: 10.0.0-dev.0",
" - twofactor_nextcloud_notification: 6.0.0-dev.0 (installed 3.10.0)",
" - twofactor_totp: 14.0.0 (installed 11.0.0-dev)",
" - updatenotification: 1.22.0 (installed 1.22.0)",
" - user_ldap: 1.23.0 (installed 1.20.0)",
" - user_status: 1.12.0 (installed 1.0.1)",
" - weather_status: 1.12.0 (installed 1.1.0)",
" - webhook_listeners: 1.3.0 (installed 1.1.0-dev)"Nextcloud Signing status
last time i checked everything was ok (got the checkmark on admin page)Nextcloud Logs
.Additional info
this regards