From 2fd00413ea6d609ca8cc76355a47c891f8c70de2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?John=20Molakvo=C3=A6=20=28skjnldsv=29?= Date: Thu, 14 May 2026 19:08:33 +0200 Subject: [PATCH 1/2] docs(security): add __Host- prefix cookie warning explanation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Admins seeing this warning from the security scanner had no obvious place to look for a fix. Add a dedicated section to the security setup warnings page explaining what the prefix does, why it may be missing (reverse proxy terminating TLS), and how to resolve it via overwriteprotocol in config.php. Cross-references the existing cookies.rst page for background. Fixes #377 Signed-off-by: John Molakvoæ (skjnldsv) --- .../security_setup_warnings.rst | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/admin_manual/configuration_server/security_setup_warnings.rst b/admin_manual/configuration_server/security_setup_warnings.rst index c564e216dec..81d430c634e 100644 --- a/admin_manual/configuration_server/security_setup_warnings.rst +++ b/admin_manual/configuration_server/security_setup_warnings.rst @@ -133,3 +133,31 @@ Your database does not run with "READ COMMITTED" transaction isolation level This can cause problems when multiple actions are executed in parallel." Please refer to :ref:`db-transaction-label` how to configure your database for this requirement. + +The "__Host-" prefix is not used for the cookie name +----------------------------------------------------- + +"The ``__Host-`` prefix is not used for the cookie name. It is recommended to +enable this in your configuration." + +Nextcloud applies the ``__Host-`` prefix to its same-site CSRF cookies +(``__Host-nc_sameSiteCookiestrict`` and ``__Host-nc_sameSiteCookielax``) when +it detects that the connection is served over HTTPS. The prefix instructs +browsers to only accept those cookies over a secure connection and from the +exact host that set them, which strengthens CSRF protection. + +This warning appears when Nextcloud cannot confirm it is running over HTTPS. +The most common cause is a **reverse proxy** that terminates TLS and forwards +requests to Nextcloud over plain HTTP. In that case Nextcloud sees HTTP +internally and omits the prefix. + +To fix this, tell Nextcloud to treat the connection as HTTPS by adding +``overwriteprotocol`` to ``config/config.php``:: + + 'overwriteprotocol' => 'https', + +If you are not behind a reverse proxy, ensure your web server is configured to +serve Nextcloud exclusively over HTTPS. See the +:ref:`use_https_label` documentation. + +For background on the cookies themselves, see :ref:`cookies`. From 42fa7837f87c27b42c0243edf575ef8f4dab12e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?John=20Molakvo=C3=A6=20=28skjnldsv=29?= Date: Wed, 20 May 2026 09:06:51 +0200 Subject: [PATCH 2/2] fix(gdpr): move cookies label before heading to fix Sphinx cross-reference warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: John Molakvoæ (skjnldsv) --- admin_manual/gdpr/cookies.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/admin_manual/gdpr/cookies.rst b/admin_manual/gdpr/cookies.rst index ded20c2cee1..ff4496f3190 100644 --- a/admin_manual/gdpr/cookies.rst +++ b/admin_manual/gdpr/cookies.rst @@ -1,9 +1,10 @@ +.. _cookies: + ======= Cookies ======= .. sectionauthor:: Björn Schießle -.. _cookies: Nextcloud only stores cookies needed for Nextcloud to work properly. All cookies comes from your Nextcloud server directly, no 3rd-party cookies will be sent to your system. Regarding GDPR, `only data which contain personal data are relevant`_.