I’ve been having a weird issue for a long time, and now I’ve decided it’s time to tackle it. When I go to the Nextcloud administration overview, the self-check tests report some warning. My installation is in Italian, but basically they say that I haven’t hardened my http headers. More precisely:
- X-Content-Type-Options is not set as nosniff
- X-Robots-Tag is not set as none
- X-Download-Options is not set as noopen
- X-Permitted-Cross-Domain-Policies is not set as none
- Referrer-Policy is not set as no-referrer (or a bunch of other options)
If I scan my installation with the Nextcloud service, this seems to be confirmed: https://scan.nextcloud.com/results/a12e2dea-a1fb-4205-b838-1090c5ef7585
However, this is my server (nginx) configuration file: https://pastebin.com/3GZuYpFj and as you can see the headers (with the correct settings) are all there. Moreover, if I look at the http headers returned by my installation through a website like https://headers.cloxy.net/ it’s evident that the http headers are actually served by the server.
I really cannot understand this discrepancy, and I can’t figure out if I’ve hardened my installation or not (I think I have, but given the scan results I’m not entirely sure). Can someone with more experience try to help me figure this out? The domain in question is https://cloud.iacchi.casa/
Thanks in advance!