Ok, this is somewhat ridiculous .. the Hardening and Security help ofr Nextcloud states that headers referred-policy, x-content-type-options, x-robots-tag and x-frame-options are hardcoded into the server (unless it means an Apache instance ..?), but if I omit them from the configuration, the Administrator page complains that the first 3 are missing(!) even though this test site ..
says they’re present .. it ALSO says that x-frame-options is missing - unless I explicitly enable it.
What’s going on, and who do I believe? - I’m inclined to believe the latter as it’s independant …
Yes, exactly this. These “hardcoded” security headers, among other things are configured in the .htaccess file in root directory of your Nextcloud installation. However, because Nginx doesn’t support .htaccess files, you need to add the headers manually to your Nginx configuration.
I’m not sure. Did you restart nginx after changing the configuration? And are you sure that the site actually performed a re-scan? Sometimes these test sites show old results and you have to explicitly trigger a re-scan. You could also try reloading the site with Ctrl+F5 to clear the cache.
Otherwise, all I can say is that you have to set these headers in Nginx because .htaccess files defentitly don’t work with Nginx. If you’re unsure wheter your config is correct, stick to the configuration in the documentation. If some of those sites sitill report errors, post your config here…
Yup; I actually restarted both the service and the machine just to be sure. And the same issue shows .. I’ve also got an alias to the server under a different name that shows the same thing.