False recommended header warnings since 17.0.1 #18017
Description
On my Nextcloud instance nc.anpmech.com, since 17.0.1 I'm getting warnings in the admin page about missing headers. These seem like a false warning, but I wouldn't doubt I'm just, somehow, doing something wrong. Further dumbfounding me is the same results exist now on scan.nextcloud.com when I didn't see them before.
avuton@xps:~$ curl -I https://nc.anpmech.com
HTTP/2 302
date: Tue, 19 Nov 2019 17:11:55 GMT
server: Apache/2.4.41 (Debian)
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-security-policy: default-src 'self'; script-src 'self' 'nonce-bUlDeFhKaE1LUFBLTmYrM1pFY3cxUTkrWFYrckdZNzhNMGF0SklCS0hldz06OXJmNVBlSjZZcktFVTd2eE5Tc2JrR3NtTWdyb1hQdTFZeUR1VXVVNmNLND0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
set-cookie: ocgdgj675i9h=5e3gm7e49tt5u4mv9rlato9qnv; path=/; secure; HttpOnly
set-cookie: oc_sessionPassphrase=6fvHuEvvnj92ftLKgXWI5OI8O79rixP0tmqpVJxJ4gxiFLQJ1OUt%2F50wX8DR%2BobFtXV1aTLTA8d%2FMYQzqEMFT4BttKH%2F0iYrNVN3QCAf7xBry2l%2FSY%2BcpbF%2FtdrNzHZ6; path=/; secure; HttpOnly
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
strict-transport-security: max-age=15552000; includeSubDomains
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
location: https://nc.anpmech.com/index.php/login
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-robots-tag: none
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
content-type: text/html; charset=UTF-8