About NC's "Security & Setup warnings" on ngninx

I’ve always wondered. I would describe nginx as follows.
https://docs.nextcloud.com/server/19/admin_manual/installation/nginx.html

I get a warning in NC if I have the following right after “server {”.

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
  • The “X-Content-Type-Options” HTTP header is not set to “nosniff”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
  • The “X-Robots-Tag” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
  • The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
  • The “X-Download-Options” HTTP header is not set to “noopen”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
  • The “X-Permitted-Cross-Domain-Policies” HTTP header is not set to “none”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

However, Nextcloud Security Scan has an “A+” result.
I remove it and it passes with “Security & Setup warnings”.
*That is to say, only in “location ~ .(?:css|js|woff2?|svg|gif|map)$”.

Which is correct, one written in two places and one written in one?
Two places won’t pass in NC.