Hi,
Just saw that when mod_status is enabled on Apache going to www.any-apache-server.com/server-status shows a great deal of information including currently open URL’s (try on your own instance). Would recommend that anyone running Nextcloud on Apache turn off mod_status (a2dismod status).
Maybe this could be added in the server hardening guide here: Hardening and Security Guidance — Nextcloud 12 Server Administration Manual 12 documentation
It’s more like a general advice when running a public web server and most distributions already have it disabled or only allow access from localhost. We could give an even more general advice to disable everything you don’t really need 
Or you could just place .htaccess there, so you still can access it from your local network or your management machine
Debian does not. Most things one does not need does not show all GET requests. But whatever. Thread closed.
on nc and all my other vhosts i get a 403 on this request - i run mod_status for munin on debian stretch.
i’m not 100% certain this was the default ( i usually double-check), status.conf contains this:
<Location /server-status>
SetHandler server-status
Require local
#Require ip 192.0.2.0/24
</Location>
which makes it inaccessible form "the outside."
GOOD LUCK!