In my case (Nextcloud 10.0.1 on Ubuntu 16.04), this will cause 2 error messages in the admin settings:
- The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
- The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.
I’ve changed it in .htacces manually to
<IfModule mod_env.c>
# Add security and privacy related headers
Header always set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header always set X-Frame-Options "SAMEORIGIN"
Header set X-Download-Options "noopen"
Header set X-Permitted-Cross-Domain-Policies "none"
SetEnv modHeadersAvailable true
</IfModule>
(“Header always set…” instead of “Header set…”)
@jan, if i run the command
sudo -u www-data php occ maintenance:update:htaccess
the corrections in .htaccess will be overwritten and those 2 error messages will appear again 