ISP Reverse Proxy changes case of Headers causing multiple occurrences

@grouchysysadmin
Thank you for clarifying the underlying issue.

It is the case-sensitive lookup (in core/js/setupchecks.js) that is giving rise to the admin message.

I would be grateful if you could raise a bug with just that.

[When I changed the definition of SecurityHeaders to lower case, the admin error messages went away. Of course, this is an incorrect fix.]

The duplication of headers is occurring for a more subtle reason and I need to get past the various caching, i.e. let it time out, and other elements within the ISP to determine the root cause.

Of course, the ISP is NOT randomly adding headers - Nextcloud is.

.htaccess has (lines snipped)

<IfModule mod_headers.c>
  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true

So I expect that if the header is set, then so is the environment variable.

/lib/private/legacy/response.php has

		if(getenv('modHeadersAvailable') !== 'true') {
			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains

The headers being sent include (in order received)

x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: Sameorigin

and later

x-xss-protection: 1; mode=block
x-robots-tag: none
x-frame-options: SAMEORIGIN

I am trying to understand what is occurring, and although I understand that the overall ordering of headers can be changed, they cannot be for a given header name, such as x-frame-options.

So it would at first sight that the legacy code is being invoked before the .htaccess process has been set.

But there are more tests needed before I could state definitively what is occuring.

Merging the headers could make this problem go away.

Neil