Upon running https://scan.nextcloud.com/ I found one Hardening that my system does not have titled " __Host-Prefix" This is described as:
The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of 'normal' same-site cookies.
Interestingly the doc does not seem to have any info on the hardening server page: https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html
However there is some more information at:
I’m confused as to why I’m seeing this error, and I don’t see much about mitigation. I’m unclear if the problem is that I have server aliases like https://www.nextcloud.mydomain.com/nextcloud nextcloud redirecting to https://nextcloud.mydomain.com/nextcloud
or is it that I’m using https://www.nextcloud.mydomain.com/nextcloud because https://www.nextcloud.mydomain.com/ redirects to the apache webserver success page?