I solved the issue and get back my A+ score.
The line for X-Download-Options was missing in my htaccess file, refer to link below.
I add the lines related to X-Download-Options in my htaccess located as following:
/var/www/nextcloud/.htaccess
3 Likes
Hey there, I am having the same issue. I found the .htaccess file but I do not understand how to edit it exactly as described by zertin.
There are many lines called like “Header onsuccess unset […]”.
I just don’t get it right know.
Could you please help me out very quick?
Thank you very much (:
That is my .htaccess file in /var/www/nextcloud/.htaccess
IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUT>
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<IfModule mod_lsapi.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTH>
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
# Avoid doubled headers by unsetting headers in "onsuccess" tab>
# then add headers to "always" table: https://github.com/nextcl>
Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "no-referrer"
Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
Header onsuccess unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"
Header onsuccess unset X-Robots-Tag
Header always set X-Robots-Tag "none"
Header onsuccess unset X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"
SetEnv modHeadersAvailable true
</IfModule>
# Add cache control for static resources
<FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
Header set Cache-Control "max-age=15778463"
</FilesMatch>
<FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)(\?v=.*)?$>
Header set Cache-Control "max-age=15778463, immutable"
</FilesMatch>
# Let browsers cache WOFF files for a week
<FilesMatch "\.woff2?$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
</IfModule>
# PHP 7.x
<IfModule mod_php7.c>
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
# PHP 8+
<IfModule mod_php.c>
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddType application/wasm wasm
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule ^$ /remote.php/webdav/ [L,R=302]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUT>
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<IfModule mod_lsapi.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTH>
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
# Avoid doubled headers by unsetting headers in "onsuccess" tab>
# then add headers to "always" table: https://github.com/nextcl>
Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "no-referrer"
Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
Header onsuccess unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"
Header onsuccess unset X-Robots-Tag
Header always set X-Robots-Tag "none"
Header onsuccess unset X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"
SetEnv modHeadersAvailable true
</IfModule>
# Add cache control for static resources
<FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
Header set Cache-Control "max-age=15778463"
</FilesMatch>
<FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)(\?v=.*)?$>
Header set Cache-Control "max-age=15778463, immutable"
</FilesMatch>
# Let browsers cache WOFF files for a week
<FilesMatch "\.woff2?$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
</IfModule>
# PHP 7.x
<IfModule mod_php7.c>
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
# PHP 8+
<IfModule mod_php.c>
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddType application/wasm wasm
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule ^$ /remote.php/webdav/ [L,R=302]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
GNU nano 5.4 /var/www/nextcloud/.htaccess
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [>
RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /inde>
RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|con>
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
ErrorDocument 403 //
ErrorDocument 404 //
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|w>
RewriteCond %{REQUEST_FILENAME} !/core/ajax/update\.php
RewriteCond %{REQUEST_FILENAME} !/core/img/(favicon\.ico|manifest>
RewriteCond %{REQUEST_FILENAME} !/(cron|public|remote|status)\.php
RewriteCond %{REQUEST_FILENAME} !/ocs/v(1|2)\.php
RewriteCond %{REQUEST_FILENAME} !/robots\.txt
RewriteCond %{REQUEST_FILENAME} !/(ocm-provider|ocs-provider|upda>
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-va>
RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/prox>
RewriteRule . index.php [PT,E=PATH_INFO:$1]
RewriteBase /
<IfModule mod_env.c>
SetEnv front_controller_active true
<IfModule mod_dir.c>
DirectorySlash off
</IfModule>
</IfModule>
</IfModule>
Your htaccess also miss X-Download-Options between X-Content and X-Frame so add the two following lines in-between.
Header onsuccess unset X-Download-Options
Header always set X-Download-Options “noopen”
6 Likes
Awesome 
, that worked, thanks a lot 
1 Like
How long did it take for the security scan to show that this header option was added and upgrade rating to A+? I’ve made the change and restarting apache, but it still show A with that option missing.
you manually re-trigger a scan:
Hello, im running NC in a freebsd jail using apache as webserver and nginx as reverse proxy,
I followed the solution by adding those 2 linees of code into .htaccess but unfortunately security check still complain for x-download-options.
i restart apache and i retriggered the verification check, but warning still present
In case this helps anyone: I copy/pasted the lines above and, although they look fine in the editor, there was an encoding problem that prevented “noopen” from rendering correctly. Typing is better than copy/paste and restored A+ rating.
1 Like
Just few minutes
You maybe have to add this option in nginx condiguration file .conf (/etc/nginx/conf.d/)
Check that the following option is present
add_header X-Download-Options noopen;
1 Like
Thanks @thierry333 
Just for the noobies like me: When I copy the lines from @thierry333 in the terminal then I receive for the second line:
Header always set X-Download-Options `^`^|noopen ^`^`}
instead of
Header always set X-Download-Options "noopen"
Therefore, here the clean copy-paste version:
Header onsuccess unset X-Download-Options
Header always set X-Download-Options "noopen"
1 Like
hello this is my nginx reverse proxy nc related part
location / {
add_header Strict-Transport-Security “max-age=15552000; includeSubDomains” always;
proxy_ssl_verify off;
proxy_pass http://10.0.0.48;
# set proper x-forwarded-headers
proxy_set_header ‘X-Forwarded-Host’ nextcloud.xxxx.com;
proxy_set_header ‘X-Forwarded-Proto’ https;
proxy_set_header ‘X-Download-Options’ noopen;
proxy_set_header Host $host;
this is the relevant part of my .htaccess file
Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options “nosniff”
Header onsuccess unset X-Download-Options
Header always set X-Download-Options “noopen”
Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
if that can help i’m running nginx reverse proxy on a linux server
and NC from a truenas freebsd jail using php81
The " seems different on X-Download-Options, just try to copy " from X-Frame for exemple. It is ptobably not the issue but let’s try
1 Like
i confirm was the " character tha was wrong. Working nicely right now
unfortunately i have just that on my italian keyboard they seems to be more inclinated …
i’m thinking how solve that
because it will be difficult to enter any part of code by typing… i just have to copy paste… and i don’t like that
1 Like
I wouldn’t add it since it was removed by NC dev X-Download-Options is only used in Internet Explorer and no one at this point should be using IE. Please see below link
So that’s all correct then.
As these older Internet Explorer headers have been removed, only the Nextcloud security scan would now need to be adjusted.
Nextcloud version 23.0.5.1 currently gets an A+ rating and Nextcloud version 24.0.1.1 only an A rating.
Yup, I stepped into this too… Thanks for reminding!
Watch out when copying the two lines from @thierry333 above: The quotation marks (") should not be copied from the text above into the .htaccess
They are not the standard double-quotation-marks which are expected by .htaccess
1 Like
Yep,
1 Like
This worked for me.
I added that line in the server block of my nextcloud server in the nginx.conf file of my reverse proxy.
I suppose I would have achieved the same result by inserting a similar line in the apache config file on my nextcloud server, but I’d rather mess with my reverse proxy than with the nextcloud server config.