NC11: Nosniff & SAMEORIGIN error message won't disappear?

I’m on a fresh installation of NC 11.0.0 on Ubuntu 16.04 x64 with ISPconfig 3.1.1.p1 and PHP 7.08

Those 2 warnings won’t disapper:

The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff".
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN".

I’ve checked the headers with http://web-sniffer.net/

websniffer.png619×948 85.1 KB

As you can see, the headers are set.

Pretty links are working:

vi /var/www/nextcloud/config/config.php
'htaccess.RewriteBase' => '/nc',
sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess

I can access the site without index.php

Apache config:

vi /etc/apache2/apache.conf

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

vi /etc/apache2/conf-enabled/nextcloud.conf

Alias /nc "/var/www/nextcloud/"

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud

<Directory /var/www/nextcloud>
	Options +FollowSymlinks
	AllowOverride All
	Require all granted
	Satisfy Any

	<IfModule mod_dav.c>
        	Dav off
	</IfModule>

</Directory>

php7.png951×891 121 KB

How can i let those 2 inconvenient warnings disappear?

Thank you!

I found it out by myself.

After removing it of /etc/apache2/conf-enabled/ssl-params.conf the warnings disappeard.

and what is in that file? You perhaps disable important security features (cipher settings, …)

That’s the file with the cipher settings of ISPconfig, but i didn’t change them. SSL works well.

I just removed

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

because this this done by Nextclound in .htaccess