[BUG] handling of nextcloud X-Frame-Options header outdated?

[BlockListed]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The default Nextcloud proxy configuration does not pass the Nextcloud security checker. In the current version of Nextcloud contrary to PR #501, the proxy_hide_header X-Frame-Options directive causes the security checks to fail. If this is commented out the security check pass, since the current version of Nextcloud seems to send that header to SWAG already. This would remove the need to uncomment the add_header X-Frame-Options "SAMEORIGIN" always; directive in ssl.conf and provide a secure Nextcloud experience Out of the box.

Expected Behavior

No response

Steps To Reproduce

1. Setup the latest version of Nextcloud (26) (lscr.io/linuxserver/nextcloud)
2. Setup the latest version of Swag (lscr.io/linuxserver/swag) with all default settings, except for enabling the nextcloud proxy conf
3. Run the nextcloud security check /settings/admin/overview
4. It will fail complaining about the X-Frame-Options header

[nemchik]

I've done lots of combinations testing the configs to figure out what makes the most sense.

Ref: #501 (comment)

The issue here is:

---

If we leave out

# nextcloud.subdomain.conf.sample in swag
proxy_hide_header X-Frame-Options;

and comment out

# ssl.conf.sample in swag
#add_header X-Frame-Options "SAMEORIGIN" always;

the test will pass

If we uncomment

# ssl.conf.sample in swag
add_header X-Frame-Options "SAMEORIGIN" always;

the test will fail

So the reason to add

# nextcloud.subdomain.conf.sample in swag
proxy_hide_header X-Frame-Options;

Is because there are valid reasons to include the X-Frame-Options header in swag so it can work on anything being served or proxied via swag, and without using the proxy_hide_header it causes nextcloud's check to fail.

It wouldn't hurt for us to include a comment in the nextcloud proxy instructing users to enable the header line in ssl.conf though.