When we have completed the installation wizard, we must go to https://nextcloud.example.com/settings/admin to see the security and setup warnings.


Most of the warnings are related to the headers, so create a new file just for those:

# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

And include it in the server section and in the CSS and JavaScript location:

server {

    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# Add headers to serve security related headers
    include conf.d/nextcloud-example-com/headers;

    # Logs
    include conf.d/nextcloud-example-com/logs;


    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";

        # Add headers to serve security related headers
        include conf.d/nextcloud-example-com/headers;

        # Optional: Don't log access to assets
        access_log off;



Another one is related to php-fpm not reading environment variables. Let’s fix that too uncommenting the environment variables:

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
_$: systemctl restart php7.0-fpm.service

Integrity checks

If your .user.ini and your .htaccess are whown as having integrity problems, first make sure that they were copied to the /var/www/nextcloud directory. If they were, but you are still having trouble with the integrity check, redownload the nextcloud zip and overwrite the previous ones.