Hi, after the update to nextcloud the following configuration message appeared:
The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN”. This is a potential security or privacy risk, and we recommend changing this setting.
To solve the security bug I added the following string in the .htaccess file:
Header always append X-Frame-Options SAMEORIGIN
But the warning continues to show up.
What is this problem due to? thank you so much
Put this into .htaccess:
Header set X-Frame-Options "SAMEORIGIN"
I tried, but the error always occurs 
In NC 11+ the X-Frame-Options header is set automatically by PHP to SAMEORIGIN.
Security header test here:
Which version of Nextcloud?
Which webserver do you use and which PHP version?
I ran the test and X-Frame-Options SAMEORIGIN is active! But nextcloud keeps going me wrong
Php 7.2.8
Are you behind a firewall or proxy?
then do a grep in the webroot of your installation:
grep -R SAMEORIGIN *
and open
~/core/doc/admin/_sources/release_notes.txt
This is what Google Chrome is telling about your http headers (by pressing F12):
Perhaps Cloudflare is the problem?
I do not think so, because I do not use cloudflare, nextcloud is hosted on a shared hosting
As you can see in the screenshot above, the X-Frame-Options header is set twice, 1x from .htaccess and 1x from PHP. Obviously ~/lib/private/legacy/response.php is doing it.
I would contact Cloudflare support.
But maybe your hoster does?
no, I asked technical support
I would send them the screenshot above and ask why the headers behind the CDN are not recognized by Nextcloud.
Which CDN or reverse proxy do they use?
I have not asked, surely it will be their private security system, they are a very large company
If you are using nginx then remove it:
https://docs.nextcloud.com/server/12/admin_manual/release_notes.html
my hosting uses apache 
I can not understand why this warning! It comforts me that it actually works
I have a similar situation, but self hosted. .htaccess includes the header line and my server config does it, too. So the server sets the header twice and I see the warning. I deleted it from .htaccess, because the server config is used for several subdomains and I do not want to have different configs for different subdomains.
I do not know if a double header line is a security risk. If not, and if your hoster cannot fix it, just ignore it …
Hi All,
After reading so many posts her and there… What finally worked for me was to realize and make sure that there is only one “version” of sameorigin or SAME ORIGIN or noreferrer/and variations or strict origin/and variations in all your .htaccess and .conf (nextcloud-ssl.conf or any name you gave it). In my case I left only this:
Header always set Referrer-Policy “strict-origin-when-cross-origin”
In my nextcloud-le-ssl.conf under the /etc/apache2/sites-enabled directory.
Hope this help all of you.
Fernando
I had the same problem, you need to comment out the following from /etc/httpd/conf.d/ssl.conf
from
Header always set X-Frame-Options DENY
to
#Header always set X-Frame-Options DENY
