Replace "X-XSS-Protection 0" with "X-XSS-Protection "1; mode=block"

@pitaj said in Replace "X-XSS-Protection 0" with "X-XSS-Protection "1; mode=block":

proxy_hide_header X-XSS-Protection

This solved the issue. Thank you.

I am running nodebb 1.17.0 with a nginx proxy.

I want to disable or change the header set from nodebb: "X-XSS-Protection 0". It should be "X-XSS-Protection "1; mode=block"

If I just add the header in nginx, I have two headers which in invalid. So, how to remove or change to header within nodebb?

@twissell
I also ran my first upgrade with 1.17 and had the same problem. The solution was: I have to run the upgrade with the user nodebb is running under. For me this is the user "nodebb" so "su nodebb" and then start the upgrade script. If you run it as root, you may have to reassign the files to the user, e.g. "chown -R nodebb:nodebb *" in the appropriate folder. But beware, I am a nodebb beginner myself and found this out only by try-and-error. For me it worked like this.

Yes, sorry. This is the nginx logfile.

Since the upgrade to 1.17 I have many messages like this in the logfile:

2021/04/26 00:14:35 [crit] 40408#40408: *679 open() "/var/www/mysite/nodebb/public/src/modules/cropper.js" failed (13: Permission denied), client: 178.xxx.xx.xxx,
server: mysite.com, request: "GET /assets/src/modules/cropper.js?v=e0dn33rd4h0 HTTP/2.0", host: "mysite.com", referrer: "https://mysite.com/user/admin/edit"

There is no /var/www/mysite/nodebb/public/src/modules/cropper.js. I found it at

/var/www/mysite.com/nodebb/build/public/src/modules/cropper.js
/var/www/mysite.com/nodebb/node_modules/cropperjs/dist/cropper.js
/var/www/mysite.com/nodebb/node_modules/cropperjs/src/js/cropper.js

What can I do? Just create a symlink maybe? Or is that too simple thinking.

Did I ask a stupid question, or is the forum here just dead? Is there an active NodeBB developer community somewhere?

Is there a way to send a board notification via wirte API? Or maybe via direct write to mongodb? Thanks in advance.

I found a good way to get the user list out of mongodb. In case anyone need it:

async function doMongoDb() {

  const { MongoClient } = require("mongodb");
  const username = encodeURIComponent("admin");
  const password = encodeURIComponent("mypassword");
  const clusterUrl = "localhost:27017";
  const authMechanism = "DEFAULT";
  const uri = `mongodb://${username}:${password}@${clusterUrl}/?authMechanism=${authMechanism}`;
  const client = new MongoClient(uri, { useNewUrlParser: true, useUnifiedTopology: true });

  try {
    await client.connect();
    const database = client.db("nodebb");
    const objects = database.collection("objects");

    // get all user
    const query = { _key: /^user:\d+$/ };
    // select fields we want to see
    const options = {
      projection: { _id: 0, username: true, _id: false, email: true, "email:confirmed": true, joindate: true, fullname: true },
    };

    const cursor = objects.find(query, options);
    if ((await cursor.count()) === 0) {
      console.log("No user found!");
    }

    // iterate over the users
    await cursor.forEach(user => {
      if (user["email:confirmed"] == 1 ) {
        console.dir(user);
      }
    });

  } finally {
    // make sure we close the connection
    await client.close();
  }
}
// ---------------------------------------------------


function init() {
  try {

    doMongoDb();

  } catch(e) {
    console.log(e);
  }
}
// ---------------------------------------------------


init();

Is there really no way to get the user list without going all the way through CSFR tokens, login, session, etc? That would not really be a REST API. Or have I understood something completely wrong? That's a knockout criteria for us.

I have problems getting a list of all users from the API.
This works:

curl -H "Authorization: Bearer xxxxxxxx-1c44-44b0-847c-xxxxxxxxxxxx" http://localhost:4567/api/categories?_uid=1

This won't work:

curl -H "Authorization: Bearer xxxxxxxx-1c44-44b0-847c-xxxxxxxxxxxx" http://localhost:4567/api/users?_uid=1

{"status":{"code":"not-authorised","message":"A valid login session was not found. Please log in and try again."},"response":{}}

What I am doing wrong?

I am using a self compiled nginx with ngx_pagespeed and brotli. Both seem to work together with nodeBB without any problems. Is there anyone here who also uses this setup and would like to share experiences?

--http-client-body-temp-path=/var/cache/ram/body \
--http-fastcgi-temp-path=/var/cache/ram/fastcgi \
--http-proxy-temp-path=/var/cache/ram/proxy \

Swapping the pagespeed cache to a RAM partition is very effective in this scenario.

Hello all,

I am using NodeBB 1.16.2 with Oxide theme. No other plugins except the ones that came with the installation. Every time I call a page I get the following 404 message in the nginx log:

178.xxx.xxx.xxx - - [09/Apr/2021:10:52:02 +0000] "GET /assets/src/client/footer.js?v=4u8ga71iu38 HTTP/2.0" 404 9 "https://xxxx.xx/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0"

I just can't find the appropriate call to it though:

# locate footer.js
/var/www/nodebb/build/public/templates/admin/footer.js
/var/www/nodebb/build/public/templates/admin/partials/settings/footer.js
/var/www/nodebb/build/public/templates/emails/partials/footer.js
/var/www/nodebb/build/public/templates/footer.js
/var/www/nodebb/install/data/footer.json

/var/www/nodebb# grep -R "footer.js" *
CHANGELOG.md:* add partials/footer/js.tpl (94da9fe5)
node_modules/nodebb-theme-vanilla/templates/footer.tpl: <!-- IMPORT partials/footer/js.tpl -->
node_modules/nodebb-theme-persona/templates/footer.tpl: <!-- IMPORT partials/footer/js.tpl -->
src/install.js: fs.promises.readFile(path.join(__dirname, '../', 'install/data/footer.json'), 'utf8'),

Can someone please help me or point me in the right direction? I am unfortunately a newbie in the NodeBB area. Thanks!

Translated with www.DeepL.com/Translator (free version)