X-Frame-Options set twice: DENY & SAMEORIGIN

Nextcloud version (eg, 20.0.5): 23.0.2
Operating system and version (eg, Ubuntu 20.04): Linux raspberrypi 5.10.103-v8+
Apache or nginx version (eg, Apache 2.4.25): nginx/1.18.0
PHP version (eg, 7.4): PHP 7.4.28 (cli) (built: Feb 17 2022 16:17:19) ( NTS )

The issue you are facing:
I get the warning: “The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.”.
However, when I add
add_header X-Frame-Options "SAMEORIGIN";
to either
/etc/nginx/sites-enabled/default,
/etc/nginx/nginx.conf or
/etc/nginx/conf.d/nextcloud.conf,
the header does not change to SAMEORIGIN, instead SAMEORIGIN gets added and the DENY header stays there. I have searched all the config files and did not find a cause for the DENY.

This is a screenshot of the response headers:

image

Something interesting I found out: the filetypes that have the double x-frame-options header are HTML, SVG and JSON. XML has only the SAMEORIGIN header.

Is this the first time you’ve seen this error? (Y/N): It was there since I set up my Nextcloud server a few weeks ago. Only now did I finally try to squash it…

Steps to replicate it:
Honestly, I have no idea how I even caused this, let alone how to replicate it: I installed nextcloud with Nginx, PHP & MariaDB. After this I set up SSH with self-signed certificates.

The output of your Nextcloud log in Admin > Logging:
Only a bunch of debug info about an update I did recently (unrelated to the issue I described above). If anyone still wants to see it, don’t hesitate to ask.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):


<?php
$CONFIG = array (
  'instanceid' => '-',
  'passwordsalt' => '-',
  'secret' => '-',
  'trusted_domains' =>
  array (
    0 => '192.168.0.143',
    1 => '-',
    2 => '-',
  ),
  'datadirectory' => '/usr/share/nginx/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '23.0.2.1',
  'overwrite.cli.url' => 'http://192.168.0.143',
  'dbname' => '-',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '-',
  'dbpassword' => '-',
  'installed' => true,
  'updater.secret' => '-',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
);

The output of your Apache/nginx/system log in /var/log/____:
Again, as far as I can see there is nothing relevant in there and I’d have to blur out a ton of ips and stuff like that, if anyone still wants to see it lmk!