Nextcloud Security Scan vs.

Nextcloud version
Operating system and version Ubuntu 16.04 LTS
Apache 2.4.25
PHP version 7


I installed nextcloud in an own vhost on my ubuntu server. Now I have the problem, that says, all ok and i got A+. But if I check this on or they say, there are no security headers. I see them in the browser, and it looks ok.
If i set them in the security.conf with “setifempty”, says everything ok but scan.nextcloud says “oh oh, problems!” and the browser shows the setting like this:

X-Content-Type-Options: nosniff, nosniff
X-Frame-Options: SAMEORIGIN, sameorigin

It’s annoying and I couldn’t find out where the mistake is. Anyone an idea why it is like that?


Could you please post the full test result? Maybe as a screenshot where you paint over the sensitive information like your domain name.

Some issues occur when headers are defined multiple times but in some configurations with apache the header settings seems necessary in the web server config and in the .htaccess as I read in another issue (don’t use apache myself).
So I’d like to see the results to get some insides what these test really complain about.