Skip to content

Fix A+ rating when checking with Nextcloud Security Scan. #51173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nickvergessen merged 1 commit into from
Mar 2, 2025
Merged

Fix A+ rating when checking with Nextcloud Security Scan. #51173

nickvergessen merged 1 commit into from
Mar 2, 2025

Conversation

@DaleBCooper
Copy link
Contributor

@DaleBCooper DaleBCooper commented Mar 1, 2025

Due to commit 33d7019 session.cookie_secure=true is not set when accessing /status.php. This results in a degration from A+ to A rating due to missing __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies.

See: https://help.nextcloud.com/t/update-nextcloud-to-31-0-0-now-scaner-showing-rating-a/218485/

@susnux susnux requested review from nickvergessen and solracsf March 1, 2025 19:11
@susnux susnux added bug 3. to review Waiting for reviews labels Mar 1, 2025
@susnux susnux added this to the Nextcloud 32 milestone Mar 1, 2025
@susnux susnux requested review from a team, Altahrim, ArtificialOwl and come-nc and removed request for a team March 1, 2025 19:11
@solracsf
Copy link
Member

solracsf commented Mar 1, 2025
edited
Loading

Or event better, "fix" the scanner instead (by fix, I mean make it scan another endpoint).

Otherwise, just moving the check for /status.php after this line would make more sense, instead of re-introducing a check already in the code.

server/lib/base.php

Line 391 in db620fb

ini_set('session.cookie_httponly', 'true');

@DaleBCooper
Copy link
Contributor Author

DaleBCooper commented Mar 1, 2025

You are right, moving the check for /status.php down does absolutely make sense. Don't know why I didn't see this.

@DaleBCooper
Fix A+ rating when checking with Nextcloud Security Scan.
ed15fdf 
Due to commit 33d7019 session.cookie_secure=true is not set when accessing /status.php.
This results in a degration from A+ to A rating due to missing  __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies.
@scubamuc scubamuc mentioned this pull request Mar 2, 2025
Closed
@nickvergessen

This comment has been minimized.

Sign in to view
@nickvergessen nickvergessen merged commit 92bbcad into nextcloud:stable31 Mar 2, 2025
171 of 180 checks passed
@welcome
Copy link

welcome bot commented Mar 2, 2025

Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22

@backportbot

This comment has been minimized.

Sign in to view
@solracsf
Copy link
Member

solracsf commented Mar 2, 2025

/backport to master

@backportbot backportbot bot mentioned this pull request Mar 2, 2025
Merged
@DaleBCooper DaleBCooper deleted the fix-a+-rating branch March 2, 2025 11:48
@blizzz blizzz mentioned this pull request Mar 4, 2025
Merged
3 tasks
@blizzz blizzz mentioned this pull request Mar 12, 2025
Merged
14 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Mar 16, 2025

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

@skjnldsv skjnldsv modified the milestones: Nextcloud 32, Nextcloud 33 Sep 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@solracsf solracsf solracsf approved these changes

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl was automatically assigned from nextcloud/server-backend

@Altahrim Altahrim Awaiting requested review from Altahrim Altahrim was automatically assigned from nextcloud/server-backend

@come-nc come-nc Awaiting requested review from come-nc come-nc was automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug feedback-requested regression

Projects

None yet

Milestone

Nextcloud 32

Development

Successfully merging this pull request may close these issues.

5 participants

@DaleBCooper @solracsf @nickvergessen @susnux @skjnldsv