Nextcloud version 13.0.5
PHP version 7.2.8
The issue you are facing:
Our Nextcloud installation reports a couple of security warnings regarding apache headers. Our hosting provider checked this out and the server’s headers seem to be configured correctly.
Example cURL call:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 23 Jul 2018 18:18:03 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 7656
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Security-Policy: default-src ‘none’;base-uri ‘none’;manifest-src ‘self’;script-src ‘self’ ‘unsafe-eval’;style-src ‘self’ ‘unsafe-inline’;img-src ‘self’ data: blob:;font-src ‘self’;connect-src ‘self’;media-src ‘self’
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
It seems NextCloud is not interpreting the header settings correctly which results in ‘false’ security warnings.
Many thanks in advance!