Regarding these errors:
The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
Accessing site insecurely via HTTP. You are strongly adviced to set up your server to require HTTPS instead, as described in the security tips.
You may see those on Nextcloud on our servers. Here will we explain why and then how we fix that.
Nextcloud sets certain variables in .htaccess and then uses the getenv() PHP function to read those. However getenv() reads the value of a PHP environment variable (http://php.net/manual/en/function.getenv.php). These would be the variables, as listed when executing the phpinfo() function. There is no guarantee that a variable that you set by using SetEnv in an .htaccess file will be available for getenv() as well. Generally those are available, however.
We use suEXEC on our servers, and for security reasons it passes only a portion of all environment variables to CGI (PHP) scripts.
In order to set custom environment variables in .htaccess and then read them with getenv() in PHP, one must prefix each variable with:
HTTP_
Nextcloud, however, relies on a slightly lower level of security and uses this in .htaccess:
SetEnv modHeadersAvailable
and then later tries to read that in the PHP code. That fails on our server due to our high security.
Thus we edit that line to be:
SetEnv HTTP_modHeadersAvailable
and then change the reference in the PHP code to match. We use these two commands to adjust the Nextcloud code:
sed -i 's/modHeadersAvailable/HTTP_modHeadersAvailable/g' .htaccess sed -i 's/modHeadersAvailable/HTTP_modHeadersAvailable/g' lib/private/legacy/response.php
Then all the warnings disappear. The only problem is that now this warning comes up:
Some files have not passed the integrity check. Further information on how to resolve this issue can be found in the documentation. (List of invalid files… / Rescan…)
which is now expected and can be ignored.