diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst index eff45ab91d0..a120d52cefc 100644 --- a/admin_manual/installation/harden_server.rst +++ b/admin_manual/installation/harden_server.rst @@ -221,8 +221,6 @@ These include: - ``X-Content-Type-Options: nosniff`` - Instructs some browsers to not sniff the mimetype of files. This is used for example to prevent browsers from interpreting text files as JavaScript. -- ``X-XSS-Protection: 1; mode=block`` - - Instructs browsers to enable their browser side Cross-Site-Scripting filter. - ``X-Robots-Tag: noindex, nofollow`` - Instructs search machines to not index these pages and not follow any links there. - ``X-Frame-Options: SAMEORIGIN`` diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample index a9db15e74bb..7c22f840c9e 100644 --- a/admin_manual/installation/nginx-root.conf.sample +++ b/admin_manual/installation/nginx-root.conf.sample @@ -79,7 +79,6 @@ server { add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample index afe3bc07092..4a0d2a82853 100644 --- a/admin_manual/installation/nginx-subdir.conf.sample +++ b/admin_manual/installation/nginx-subdir.conf.sample @@ -111,7 +111,6 @@ server { add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; diff --git a/admin_manual/release_notes/index.rst b/admin_manual/release_notes/index.rst index 2921954eac0..fa92bb8fdb0 100644 --- a/admin_manual/release_notes/index.rst +++ b/admin_manual/release_notes/index.rst @@ -14,6 +14,7 @@ These sub pages will cover the most important changes in Nextcloud, as well as s .. toctree:: :maxdepth: 1 + upgrade_to_32.rst upgrade_to_31.rst upgrade_to_30.rst upgrade_to_28.rst diff --git a/admin_manual/release_notes/upgrade_to_32.rst b/admin_manual/release_notes/upgrade_to_32.rst new file mode 100644 index 00000000000..22893b0e8ac --- /dev/null +++ b/admin_manual/release_notes/upgrade_to_32.rst @@ -0,0 +1,16 @@ +======================= +Upgrade to Nextcloud 32 +======================= + +System requirements +------------------- + +* PHP 8.1 is now deprecated but still supported. +* PHP 8.4 is now supported, but 8.3 is recommended. + +Web server configuration +------------------------ + +* Setup checks do not check for the ``X-XSS-Protection`` response header anymore. It has been removed from Nextcloud's ``.htaccess`` and you may want to adjust your webserver config to not serve it anymore. + XSS filtering was supported only until Chromium 78 and similarly old browsers, but had been found to cause more issues, including attack vectors, than it solved. + Nowadays, aside of not serving the header at all, the only generally recommended value is ``0``. More context can be found in the `OWASP Cheat Sheet Series `_.