Nextcloud 14.0.0.19 The "Referrer-Policy" HTTP header is not set to "no-referrer"

[JSoko]

See also #10624

Have this issue too after upgrading from 13.0.6 to 14.0.0.19 on Ubuntu 18.04.lts server.

Any hints what to set in .htaccess ?
I actually have there

 <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

[nextcloud-bot]

GitMate.io thinks possibly related issues are #8550 (The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN".), #10604 (Nextcloud 14.0.0 beta3), #10624 (Nextcloud 14 Beta 3 The "Referrer-Policy" HTTP header is not set to "no-referrer"), #9122 (Add setupcheck for Referrer-Policy header), and #10208 (Testing Nextcloud 14.).

[patschi]

Adding this line in your .htaccess file should solve the problem:

Header set Referrer-Policy "no-referrer"

However, to be exact, this is not a Nextcloud-related issue. The warning is just showing you a recommendation how to adjust your webserver configuration.

[JSoko]

@patschi Thank You, that works!
Yes. it isn't a nextcloud-related issue, but shouldn't it be menioned in the documentation?
https://docs.nextcloud.com/server/14/admin_manual/configuration_server/harden_server.html?highlight=header%20set#serve-security-related-headers-by-the-web-server

[JB1985]

For me this is a nextcloud bug in the .htaccess File. Please fix it in the next release.

[raydelgg]

this warning continues to appear after each update, even if it was already fixed, it would not be possible to include this modification in the original .htaccess?

[linuxmangr]

I add to .htaccess
Header set Referrer-Policy "no-referrer" but not resolve problem

[rabadumpf]

I also add to .htaccess
Header set Referrer-Policy "no-referrer"

but also not solve the problem

[patschi]

Are you both using apache2 as your webserver, or something else like nginx, @rabadumpf and @linuxmangr?

[rabadumpf]

apache2

[nickth76]

For some reason, in my case, it needed
Header always set Referrer-Policy "no-referrer"
Pay attention to always set
and of course don't forget to reload apache.

[cracker0dks]

This works on nc14, on nc15.0.2 you will get this warning if you have the header set twice.

Details: If you have: "add_header Referrer-Policy no-referrer always;" in your (nginx) reverse proxy as well, you will have two entrys of "referrer-policy: no-referrer" in your header and nc15 don't like this for some reason.

I solved this by adding: "proxy_hide_header Referrer-Policy;" to the proxy part to remove one of the two entrys.

[schnittchen]

I have Header always set Referrer-Policy "no-referrer" in my Apache config. That worked until I upgraded to version 15, now the message is there again.

For some reason I'm seeing the referrer-policy: no-referrer header twice, which probably messes with the security check.

[zertrin]

Yeah, in my case I had it 3 times in total:

1. from my Apache global hardening config (no-referrer for all sites on my server)
2. from the nextcloud VHost file that I made for apache, following some recommendations before point number 3 arrived
3. from nextcloud's provided .htaccess

Since I don't want to change 1, I changed 2 to Header always unset Referrer-Policy so that the header from 1 is removed. Finally, I left 3 as it is, which re-adds the header at last and solves the problem.

[rogatec]

Another hint - if in any of those configurations you have duplicated headers set, this will also pop up this warning.
The best solution will be, to only set this option in the .htaccess file (if not already set by the nextcloud installation). Ensure that the vhost configuration does not implement anything.