Nextcloud version 13.0.1.1
Operating system and version Ubuntu 16.04 LTS
Apache 2.4.25
PHP version 7
Hello,
I installed nextcloud in an own vhost on my ubuntu server. Now I have the problem, that scan.nextcloud.com says, all ok and i got A+. But if I check this on securityheaders.io or httpsecurityreport.com they say, there are no security headers. I see them in the browser, and it looks ok.
If i set them in the security.conf with “setifempty”, securityheaders.io says everything ok but scan.nextcloud says “oh oh, problems!” and the browser shows the setting like this:
X-Content-Type-Options: nosniff, nosniff
X-Frame-Options: SAMEORIGIN, sameorigin
It’s annoying and I couldn’t find out where the mistake is. Anyone an idea why it is like that?