Nextcloud version: 11.0.3
Operating system and version: CentOS Linux release 7.3.1611
nginx version: 1.12.0
PHP version: 7.1.4 (php-fpm)
The issue you are facing:
Nextcloud is complaining about security things but they’re already configured.
Error occurred while checking server setup
The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
I’m having the same issue. I’m using Nextcloud 12.0.0 on Ubuntu 16.0.4 and I see the following warnings in the admin section:
The “X-XSS-Protection” HTTP header is not configured to equal to “1; mode=block”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Content-Type-Options” HTTP header is not configured to equal to “nosniff”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Robots-Tag” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Download-Options” HTTP header is not configured to equal to “noopen”. This is a potential security or privacy risk and we recommend adjusting this setting.
The “X-Permitted-Cross-Domain-Policies” HTTP header is not configured to equal to “none”. This is a potential security or privacy risk and we recommend adjusting this setting.
I have checked with curl and they are all set correctly:
Finally I removed the “addheader” statement in the nextcloud config file and the error message disappeared
I checked that the curl command still show X-Frame-Options: SAMEORIGIN in the header.
may be you also need to adapt your config.
This could be a parsing error of the tests scripts because X-Frame-Options: SAMEORIGIN appears 3 times in your header.
So maybe the statement is hard coded in Nextcloud now ?