Nosniff & other duplicate headers on shared hosting with Nginx

I have an installation of NextCloud v18.0.3 on a shared host, and am having trouble with double headers.

Specifcally all of these are doubled up:

x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

I see that I’m not the first person to come across this, but haven’t yet been able to find a full or proper solution.

What I have found is that:

  1. If I follow the suggestion at Nextcloud 17 false warnings to change the lines in .htaccess to 'Header setifempty ', this does nothing.

  2. If I comment out the relevant lines in .htaccess, I only get a duplicate of nosniff.

  3. The file /lib/private/legacy/response.php also contains similar header lines, but commenting these out makes no difference (at least not in v18.0.3)

  4. Disabling Nginx Security Headers Does fix the problem (according to the Nextcloud Settings page), provided the lines in .htaccess remain commented out.

I’ve no idea what the other implications are of disabling Nginx security? Though I gather that it’s possible to add a nginx.config file, which may be the solution, if I knew what to put in it?

My webhost suggested that I try using headers-more-nginx-module to overwrite the existing header, but, despite having looked at the documentation, I’m not sure how or where?

Update

Having disabled and re-enabled Nginx security (without changing any settings), Security & setup warnings no longer list any problems. How did turning-it-off-and-back-on-again work?

…however NextColud Security Scan still reports a problem with X-Content-Type-Options…

Installation details:

Nextcloud version : 18.0.3
Operating system and version : Linux, version unknown
Apache or nginx version : Apache 2.4.41
Nginx version : unknown
PHP version : 7.3

This is a known problem that will be solved in NC 19. For now, edit your .htaccess and replace the nosniff line by this:
Header setifempty X-Content-Type-Options “nosniff”
Works for me.

Thanks for the quick response - but unfortunately that was the first thing I tried in my list above, and it doesn’t work (because of Nginx?)

My guess is that .htaccess is applied uptream of Nginx, and Nginx is applying it again. So I either need strip all headers before the response reaches Nginx, then let Nginx apply the headers, or supress headers being added by Nginx. Though I could be entirely wrong.

Any other ideas most welcome.

You reported Apache as your web server.

Sorry, my cutting and pasting could have been clearer; my host is using both Apache and Nginx; I should have reported:

Presumably configured something like this.