[Bug] Headers Issue with Next Cloud

[bombz88]

Current Behavior

Attempting to fix the following errors

**The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.**

Expected Behavior

access_log /config/log/proxy-host-2_access.log proxy;
error_log /config/log/proxy-host-2_error.log warn;

      # Hide proxy response headers from Nextcloud that conflict with ssl.conf
      # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
      proxy_hide_header Referrer-Policy;
      proxy_hide_header X-Content-Type-Options;
      proxy_hide_header X-Frame-Options;
      proxy_hide_header X-XSS-Protection;

      # Disable proxy buffering
      proxy_buffering off;

Steps To Reproduce

Attempted the following changes in ssl.conf for NginxProxyManager

        # Hide proxy response headers from Nextcloud that conflict with ssl.conf
        # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
        proxy_hide_header Referrer-Policy;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header X-XSS-Protection;

        # Disable proxy buffering
        proxy_buffering off;
        
# Optional additional headers
        add_header Cache-Control "no-transform" always;
        add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
        add_header Permissions-Policy "interest-cohort=()" always;
        add_header Referrer-Policy "same-origin" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-UA-Compatible "IE=Edge" always;
        add_header X-XSS-Protection "1; mode=block" always;

Environment

• OS: Linux 6.1.64-Unraid x86_64
• OS version: 6.12.5
• CPU: Xeon
• Docker version: v2.10.4
• Device model: N/A
• Browser/OS: 6.12.5

Container creation

jlesage/nginx-proxy-manager

 networks:
  proxynet:
    external: true
    name: "proxynet"

services:
  NginxProxyManager:

    command:
      - "/init"

    container_name: "NginxProxyManager"

    environment:
      - "TZ=America/New_York"
      - "HOST_OS=Unraid"
      - "USER_ID=99"
      - "GROUP_ID=100"
      - "HOST_HOSTNAME=UnRAID"
      - "HOST_CONTAINERNAME=NginxProxyManager"
      - "UMASK=000"
      - "APP_NICENESS="
      - "DISABLE_IPV6=0"
      - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/base/sbin:/opt/base/bin"
      - "ENV=/root/.docker_rc"
      - "SUP_GROUP_IDS="
      - "LANG=en_US.UTF-8"
      - "KEEP_APP_RUNNING=0"
      - "INSTALL_PACKAGES="
      - "PACKAGES_MIRROR="
      - "CONTAINER_DEBUG=0"

    hostname: "3955efebf081"

    image: "jlesage/nginx-proxy-manager"

    ipc: "private"

    labels:
      net.unraid.docker.icon: "https://raw.githubusercontent.com/jlesage/docker-templates/master/jlesage/images/nginx-proxy-manager-icon.png"
      net.unraid.docker.managed: "dockerman"
      net.unraid.docker.webui: "http://[IP]:[PORT:8181]"
      org.label-schema.description: "Docker container for Nginx Proxy Manager"
      org.label-schema.name: "nginx-proxy-manager"
      org.label-schema.schema-version: "1.0"
      org.label-schema.vcs-url: "https://github.com/jlesage/docker-nginx-proxy-manager"
      org.label-schema.version: "23.12.2"

    logging:
      driver: "json-file"
      options: {}

    networks:
      - "proxynet"

    ports:
      - "14443:4443/tcp"
      - "14480:8080/tcp"
      - "7818:8181/tcp"

    volumes:
      - "/mnt/user/CACHE_DISK/appdata/NginxProxyManager:/config"

    working_dir: "/tmp"

version: "3.6"

Container log

Container ID: 3955efebf081
https://hub.docker.com/r/jlesage/nginx-proxy-manager/

Container inspect

No response

Anything else?

Adding NC output

networks:
  proxynet:
    external: true
    name: "proxynet"

services:
  nextcloud-mySQL:

    container_name: "nextcloud-mySQL"

    entrypoint:
      - "/init"

    environment:
      - "TZ=America/New_York"
      - "HOST_OS=Unraid"
      - "HOST_HOSTNAME=UnRAID"
      - "HOST_CONTAINERNAME=nextcloud-mySQL"
      - "PUID=99"
      - "PGID=100"
      - "UMASK=022"
      - "PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      - "PS1=$(whoami)@$(hostname):$(pwd)\\$ "
      - "HOME=/root"
      - "TERM=xterm"
      - "S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0"
      - "S6_VERBOSITY=1"
      - "S6_STAGE2_HOOK=/docker-mods"
      - "VIRTUAL_ENV=/lsiopy"
      - "LSIO_FIRST_PARTY=true"
      - "LD_PRELOAD=/usr/lib/preloadable_libiconv.so"

    hostname: "dac0ed1c7636"

    image: "lscr.io/linuxserver/nextcloud:latest"

    ipc: "private"

    labels:
      build_version: "Linuxserver.io version:- 28.0.2-ls299 Build-date:- 2024-02-01T12:43:38+00:00"
      maintainer: "aptalca"
      net.unraid.docker.icon: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/nextcloud-logo.png"
      net.unraid.docker.managed: "dockerman"
      net.unraid.docker.webui: "https://[IP]:[PORT:443]"
      org.opencontainers.image.authors: "linuxserver.io"
      org.opencontainers.image.created: "2024-02-01T12:43:38+00:00"
      org.opencontainers.image.description: "[Nextcloud](https://nextcloud.com/) gives you access to all\
        \ your files wherever you are.    Where are your photos and documents? With Nextcloud you pick\
        \ a server of your choice, at home, in a data center or at a provider. And that is where your\
        \ files will be. Nextcloud runs on that server, protecting your data and giving you access from\
        \ your desktop or mobile devices. Through Nextcloud you also access, sync and share your existing\
        \ data on that FTP drive at the office, a Dropbox or a NAS you have at home.  "
      org.opencontainers.image.documentation: "https://docs.linuxserver.io/images/docker-nextcloud"
      org.opencontainers.image.licenses: "GPL-3.0-only"
      org.opencontainers.image.ref.name: "9e19c87fb6fe9e30f997de86bbc2a997d628f41e"
      org.opencontainers.image.revision: "9e19c87fb6fe9e30f997de86bbc2a997d628f41e"
      org.opencontainers.image.source: "https://github.com/linuxserver/docker-nextcloud"
      org.opencontainers.image.title: "Nextcloud"
      org.opencontainers.image.url: "https://github.com/linuxserver/docker-nextcloud/packages"
      org.opencontainers.image.vendor: "linuxserver.io"
      org.opencontainers.image.version: "28.0.2-ls299"

    logging:
      driver: "json-file"
      options: {}

    networks:
      - "proxynet"

    ports:
      - "444:443/tcp"

    volumes:
      - "/mnt/cache/CACHE_DISK/appdata/nextcloud_mysql:/config"
      - "/mnt/remotes/HPNAS_NEXTCLOUD-mysql:/data"

    working_dir: "/"

version: "3.6"

[captainabloc]

found it:
to be adapted to your npm docker:
docker exec -it npmplus nano /usr/local/nginx/conf/conf.d/include/hsts.conf

replace
more_set_headers "X-XSS-Protection: 0";

by
more_set_headers "X-XSS-Protection: 1; mode=block";