Solve Nextcloud self-check https header warning

I’ve been having a weird issue for a long time, and now I’ve decided it’s time to tackle it. When I go to the Nextcloud administration overview, the self-check tests report some warning. My installation is in Italian, but basically they say that I haven’t hardened my http headers. More precisely:

  • X-Content-Type-Options is not set as nosniff
  • X-Robots-Tag is not set as none
  • X-Download-Options is not set as noopen
  • X-Permitted-Cross-Domain-Policies is not set as none
  • Referrer-Policy is not set as no-referrer (or a bunch of other options)

If I scan my installation with the Nextcloud service, this seems to be confirmed:

However, this is my server (nginx) configuration file: and as you can see the headers (with the correct settings) are all there. Moreover, if I look at the http headers returned by my installation through a website like it’s evident that the http headers are actually served by the server.

I really cannot understand this discrepancy, and I can’t figure out if I’ve hardened my installation or not (I think I have, but given the scan results I’m not entirely sure). Can someone with more experience try to help me figure this out? The domain in question is

Thanks in advance!