feat(setupChecks): Enhance output for SecurityHeaders #55641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

joshtrichards wants to merge 2 commits into master from jtr/setupChecks-securityHeaders-output-clarity

+62 −9

Member

joshtrichards commented Oct 8, 2025

Resolves: [Bug]: False warning about missing Strict-Transport-Security header despite correct configuration behind reverse proxy #55637 (and other config matters in the past that have lead to mistaken bug reports and/or help queries on the forum)

Summary

Improve the output when headers are missing/incorrect to make troubleshooting easier.

Minor code reformatting for readability.

New class and main function docblocks.

TODO

...

Checklist

Code is properly formatted
Sign-off message is added to all commits
Tests (unit, integration, api and/or acceptance) are included
Screenshots before/after for front-end changes
Documentation (manuals or wiki) has been updated or is not required
Backports requested where applicable (ex: critical bugfixes)
Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
Milestone added for target branch/version (ex: 32.x for stable32)


          feat(setupChecks): Enhance output for SecurityHeaders

ae6aced

Improve the output when headers are missing/incorrect to make troubleshooting easier.

Minor code reformatting for readability.

New class and main function docblocks.

Signed-off-by: Josh <[email protected]>

joshtrichards added this to the Nextcloud 33 milestone

joshtrichards requested review from come-nc and susnux

October 8, 2025 23:32

joshtrichards requested a review from a team as a code owner

October 8, 2025 23:32

joshtrichards added enhancement 3. to review labels

joshtrichards requested review from ArtificialOwl and salmart-dev and removed request for a team

October 8, 2025 23:32

joshtrichards added the feature: settings label


          chore: streamline class docblock a bit

7ee98d2

Signed-off-by: Josh <[email protected]>

come-nc requested changes

View reviewed changes

apps/settings/lib/SetupChecks/SecurityHeaders.php

    
               * on the Nextcloud instance. The check issues warnings or informational messages if recommended

               * security headers are missing, malformed, or set to unsafe values.

               *

               * This class is used by the Nextcloud setup process to ensure that the web server delivers

Contributor

come-nc Oct 20, 2025

Suggested change

      
             * This class is used by the Nextcloud setup process to ensure that the web server delivers
          
             * This class is used to ensure that the web server delivers

It’s not part of setup (as in installation), it’s in the admin overview.

apps/settings/lib/SetupChecks/SecurityHeaders.php

Comment on lines +22 to +23

    
               * Class SecurityHeaders

               *

Contributor

come-nc Oct 20, 2025

Suggested change

      
             * Class SecurityHeaders
          
             *

I would strip these lines as they bring no information.

apps/settings/lib/SetupChecks/SecurityHeaders.php

Comment on lines +53 to +54

    
              	 * Executes the security header setup check.

              	 *

Contributor

come-nc Oct 20, 2025

Suggested change

      
            	 * Executes the security header setup check.
          
            	 *

apps/settings/lib/SetupChecks/SecurityHeaders.php

Comment on lines +63 to +64

    
              	 *

              	 * @return SetupResult Result of the security headers setup check.

Contributor

come-nc Oct 20, 2025

Suggested change

      
            	 *
          
            	 * @return SetupResult Result of the security headers setup check.

apps/settings/lib/SetupChecks/SecurityHeaders.php

Comment on lines +93 to +95

    
              								'- The `%1$s` HTTP header is not set to `%2$s`. Some features '

              								. 'might not work correctly, as it is recommended to adjust this '

              								. 'setting accordingly.',

Contributor

come-nc Oct 20, 2025

I’m not a big fan of the string split, it breaks searching for the error string in the code. What’s the added value?

apps/settings/lib/SetupChecks/SecurityHeaders.php

Comment on lines +161 to +164

    
              						. 'If you believe this is incorrect, review your `overwrite.cli.url` and `trusted_domains` settings. '

                  					. 'These settings may include URLs that do not use HTTPS or bypass your reverse proxy, '

              						. 'which can affect header checks. '

              						. 'Additionally, ensure your DNS records and server configuration are consistent with your HTTPS setup.',

Contributor

come-nc Oct 20, 2025

We should definitely not include unstranslated text in setupchecks results.
I’m also unsure about this added warning text, ideally we should improve the checks to make them less error-prone instead, and for special case document that in the linked documentation.
Maybe we should show a general setting on the overview page on which URL is used by the server for loopback checks, and make it configurable for special cases. Not sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

come-nc come-nc requested changes

susnux Awaiting requested review from susnux

ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

Requested changes must be addressed to merge this pull request.

Labels

3. to review enhancement feature: settings