Same problem here but easy to fix.
tl:dr:
Edit your php.ini and add/set:
session.cookie_secure=1
Your may need to do a reload of your php-fpm process depending on your installation.
Explanation:
Since Nextcloud version 31 the missing __Host-prefix can be seen when requesting /status.php:
curl -I https:///status.php
[…]
set-cookie: nc_sameSiteCookielax=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: nc_sameSiteCookiestrict=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
[…]
The nextcloud security scanner requests this file and consequently gives the A rating.
On any other request the __Host-prefix was set correctly.
The reason can be found in lib/base.php, line 365:
// Do not initialize sessions for 'status.php' requests
// Monitoring endpoints can quickly flood session handlers
// and 'status.php' doesn't require sessions anyway
if (str_ends_with($request->getScriptName(), '/status.php')) {
return;
}
[...]
if ($request->getServerProtocol() === 'https') {
ini_set('session.cookie_secure', 'true');
}
So session.cookie_secure does not get set to true for status.php.
This was a change from Nextcloud 30 and 31.
I think this should be mentioned in the upgrade and or changelog documentation.
Users with A+ rating after upgrading to version 31 had this setting already in there php.ini.