Just saw that when mod_status is enabled on Apache going to www.any-apache-server.com/server-status shows a great deal of information including currently open URL’s (try on your own instance). Would recommend that anyone running Nextcloud on Apache turn off mod_status (a2dismod status).
It’s more like a general advice when running a public web server and most distributions already have it disabled or only allow access from localhost. We could give an even more general advice to disable everything you don’t really need
on nc and all my other vhosts i get a 403 on this request - i run mod_status for munin on debian stretch.
i’m not 100% certain this was the default ( i usually double-check), status.conf contains this:
<Location /server-status>
SetHandler server-status
Require local #Require ip 192.0.2.0/24
</Location>
which makes it inaccessible form "the outside."
GOOD LUCK!