There is also the Header always set directive, which is served via different table, as well if the request fails. Both directives (with and without always) do not replace each other.
The .htaccess inside Nextcloud directory contains the Header as well, which might be the reason for duplication. Will check which method to use where to assure the Header is set inside and outside Nextcloud page, if desired.
€: Okay just rechecked and tried to remember when I faced this issue:
-
Actually this is just an issue in combination with
PHP-FPM, at least on my Apache +mod_phpserver, I can set the header without any warning, being served then for all websites. -
I faced the issue with Nginx + PHP-FPM: X-Frame-Options "SAMEORIGIN": NC on nginx keeps warning me
As you can see, at least within this thread, no solution was found so far, besides disabling the setting server wide. Still not sure if it is actually enabled for Nextcloud then, sincecurlreports nothing about the header, or if Nextcloud scans wrong, but: -
I remember that I read somewhere that the header is set by PHP(-FPM) already.
-
And btw, X-Frame-Options is also the only security header, no contained in Nextclouds
.htaccess:<IfModule mod_env.c> # Add security and privacy related headers Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" Header set X-Download-Options "noopen" Header set X-Permitted-Cross-Domain-Policies "none" SetEnv modHeadersAvailable true </IfModule>