Hi,
My nexcloud instance provides the following cookie:
X-Xss-Protection "1; mode=block; report=https://xxxx.report-uri.com/r/d/xss/enforce"
When I scan it with https://scan.nextcloud.com, it says this header is missing.
I suppose there’s some problem with the report parameter.
Hi !
I used to have the same behaviour both in Nextcloud 18 and https://scan.nextcloud.com…
But headers were there… but twice !!
$ curl -I https://mysite
HTTP/2 302
[…]
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
Twice because once in nginx server conf, and one in .htaccess in my docker image…
I also untimely solved it when I harden my SSL parameter using this conf 
:
(no link)
ssl_session_timeout 1d;
ssl_session_cache shared:MySSL:10m;
ssl_session_tickets off;
ssl_dhparam /path/to/dh4096.pem;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SH
A256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security “max-age=63072000” always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
Now the message has disappeared… 
I’ve got only notice about /oc(m|s)-provider/"