Nextcloud security scan __Host-Prefix

Hi Everyone,

after several years of hosting nextcloupi on a local raspi, i am switching to yunohost (so I’m a newbie to yunohost) on vps and must say: so far I’m very impressed, great software, thanks for the great work !!!

Description of my issue:

configured nextloud with a subdomain (so the url is
tried the nextcloudscan under

everything seems to be fine, except

The __Host prefix mitigates cookie injection vulnerabilities within potential third-party        
software sharing the same second level domain. It is an additional hardening on top of     'normal' same-site cookies.

searched here on the forum and did not find a solution (found the following)

I would be very grateful for any hints.

My YunoHost server

Hardware: VPS bought online
YunoHost version: (stable).
I have access to my server : in every possible way for VPS (YHweb, VPSconsole, ssh)
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If your request is related to an app, specify its name and version: Nextcloud 28.0.1~ynh2

I’ll not help a lot, but I just did the same test, with the only difference being NextCloud is having it’s own domain (something like nextcloud.myserver.tld )
And in this situation (same YunoHost version, same NextCloud version), I do not have a __Host-Prefix warning.

Hi Mamie,
thanks for answering !
I’m not sure, are you saying, that you have an own domain only for your nextcloud?
or do you have an extra subdomain ?
(which is the case with me)

I have something like this :

  • maindomain.tld : YunoHost’s portal
  • nextcloud.maindomain.tld : only NextCloud
  • maindomain.tld/something : something else
  • otherapp.maindomain.tld : another app

A have ONLY NextCloud on nextcloud.maindomain.tld

sounds like the same structure I have. My Domain/subdomain configuration looks like this

the yunohost main portal is reachable under the domain itself and under portal.domain.tld
Nextcloud is reachable under wolke.domain.tld

The strange part is the /nextcloud part.
If this domain is only for Nextcloud, why not put it at the root ?

(This is not a solution, it seems that there is a problem, but this is the sole difference between our installations)

when i install/configure nextcloud, it forces me to put the /nextcloud part
I seem to be missing a setting…

i startetd once more from scratch, to be sure, not to have misconfigured anything. But the result is the same.
I can open without the path behind, but it redirects directly to wolke/
and the nextcloud security-scan still complains about this.
I installed the app with the webfrontend, can that be the problem, are there maybe different options when istalling vom cli?

Did you try to put / instead of /nextcloud into the field?

1 Like

yeah, that worked. Thanks!
Actually, when I tried this with my first setup it did not work (or so it seemed) well, obviously I made some mistake.

Anyway: making the input field behind / empty seems to have solved the issue.

Hint to people stumbling on this:
If you create the subdomain first and put ‘/’ in the path in the nextcloud-installation-dialog, it should work directly.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.