HTTP headers problem

ℹ️ Support
,
1

Nextcloud Hub 4 (26.0.1)
I recently switched from nginx reverse proxy to caddy reverse proxy and I have a problem with http headers. I hava in Security & setup warnings

There are some warnings regarding your setup.

  • The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.

  • Your web server is not properly set up to resolve “/.well-known/caldav”. Further information can be found in the documentation :arrow_upper_right:.

  • Your web server is not properly set up to resolve “/.well-known/carddav”. Further information can be found in the documentation :arrow_upper_right:.

Please double check the installation guides :arrow_upper_right:, and check for any errors or warnings in the log.

Check the security of your Nextcloud over our security scan :arrow_upper_right:.

In the caddyfile configuration file, I have the headers set as follows

(headers) {
        header /* {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Permissions-Policy interest-cohort=()
    X-Xss-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    Content-Security-Policy "upgrade-insecure-requests"
    Referrer-Policy "strict-origin-when-cross-origin"
    Cache-Control "public, max-age=15, must-revalidate"
    Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geo>
    Server "No."
        }
}

When I check the nextcloud website for securityheaders. everything seems to be OK. I only see a problem in duplication.

Content-Security-Policy	This policy contains 'unsafe-inline' which is dangerous in the style-src directive.
X-Content-Type-Options	There was a duplicate X-Content-Type-Options header.
X-Frame-Options	There was a duplicate X-Frame-Options header.

securityheaders
securityheaders1236×835 64.9 KB

If I remove the headers section from the caddyfile, nextcloud writes this

There are some warnings regarding your setup.

  • The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.

  • Your web server is not properly set up to resolve “/.well-known/caldav”. Further information can be found in the documentation :arrow_upper_right:.

  • Your web server is not properly set up to resolve “/.well-known/carddav”. Further information can be found in the documentation :arrow_upper_right:.

Please double check the installation guides :arrow_upper_right:, and check for any errors or warnings in the log.

Check the security of your Nextcloud over our security scan :arrow_upper_right:.

Has anyone found a solution to this problem?

2

Are importing your (headers) section into your site entry?

P.S. I would not use preload until you have the bugs of your configuration worked out.