在运行NextCloud安全检查服务↗后,发现__Host-Prefix问题,描述如下:
The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.
描述本身不是很清晰,也没有给出文档链接,有些迷惑。
在论坛搜索能看到这是一个很古老的问题,应该在NC11版本就存在并被修复。
Security: __Host-Prefix cookie setting? – ℹ️ Support – Nextcloud community
Security Scan: __Host-Prefix – ℹ️ Support – Nextcloud community
__Host-Prefix wrong – ℹ️ Support – Nextcloud community
How to solve the _host-prefix issue – ℹ️ Support – Nextcloud community
但依然重复出现。
Same problem here but easy to fix.
tl:dr:
Edit your php.ini and add/set:
session.cookie_secure=1
Your may need to do a reload of your php-fpm process depending on your installation.
Explanation:
Since Nextcloud version 31 the missing __Host-prefix can be seen when requesting /status.php:
curl -I https:///status.php
[…]
set-cookie: nc_sameSiteCookielax=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: nc_sameSiteCookiestrict=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
[…]
The nextcloud security scanner requests this file and consequently gives the A rating.
On any other request the __Host-prefix was set correctly.
The reason can be found in lib/base.php, line 365:
// Do not initialize sessions for 'status.php' requests
// Monitoring endpoints can quickly flood session handlers
// and 'status.php' doesn't require sessions anyway
if (str_ends_with($request->getScriptName(), '/status.php')) {
return;
}
[...]
if ($request->getServerProtocol() === 'https') {
ini_set('session.cookie_secure', 'true');
} So session.cookie_secure does not get set to true for status.php.
This was a change from Nextcloud 30 and 31.
I think this should be mentioned in the upgrade and or changelog documentation.
Users with A+ rating after upgrading to version 31 had this setting already in there php.ini.