I am using one of the official Nextcloud docker-compose files to setup an instance behind a SWAG reverse proxy. SWAG is handling SSL and forwarding requests to Nextcloud on port 80 over a Docker network. Whenever I go to the Overview tab in the Admin settings, I see this security warning:

    The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

I have X-Robots-Tag set in SWAG. Is it safe to ignore this warning? I am assuming that Nextcloud is complaining about this because it still thinks its communicating over an insecured port 80 and not aware of the fact that its only talking via SWAG. Maybe I am wrong though. I wanted to double check and see if there was anything else I needed to do to secure my instance.

SOLVED: Turns out Nextcloud is just picky with what’s in X-Robots-Tag. I had set it to SWAG’s recommended setting of noindex, nofollow, nosnippet, noarchive, but Nextcloud expects noindex, nofollow.

  • 7Sea_Sailor@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    You can use a page like https://httpstatus.io/ to check all transferred HTTP headers, or simply inspect the responses in your browser DevTools. If all the headers are present as Nextcloud wants them to be, you can discard the warnings, if there are headers set wrongly, adjust your SWAG settings.

    • Molecular0079@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Okay, nvm. Security checks work even with the proxy. It turns out Nextcloud is just picky with some of the fields. For example, I had set X-Robots-Tag to SWAG’s recommended default of noindex, nofollow, nosnippet, noarchive, but Nextcloud expects only noindex, nofollow.