I am using one of the official Nextcloud docker-compose files to setup an instance behind a SWAG reverse proxy. SWAG is handling SSL and forwarding requests to Nextcloud on port 80 over a Docker network. Whenever I go to the Overview tab in the Admin settings, I see this security warning:
The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
I have X-Robots-Tag set in SWAG. Is it safe to ignore this warning? I am assuming that Nextcloud is complaining about this because it still thinks its communicating over an insecured port 80 and not aware of the fact that its only talking via SWAG. Maybe I am wrong though. I wanted to double check and see if there was anything else I needed to do to secure my instance.
SOLVED: Turns out Nextcloud is just picky with what’s in X-Robots-Tag. I had set it to SWAG’s recommended setting of noindex, nofollow, nosnippet, noarchive, but Nextcloud expects noindex, nofollow.
You can use a page like https://httpstatus.io/ to check all transferred HTTP headers, or simply inspect the responses in your browser DevTools. If all the headers are present as Nextcloud wants them to be, you can discard the warnings, if there are headers set wrongly, adjust your SWAG settings.
Okay, nvm. Security checks work even with the proxy. It turns out Nextcloud is just picky with some of the fields. For example, I had set X-Robots-Tag to SWAG’s recommended default of
noindex, nofollow, nosnippet, noarchive, but Nextcloud expects onlynoindex, nofollow.
