Nextcloud13から一気に16まであげてみました。
すると概要に下記の警告が出るようになりました。
CentOS 7.6, Nginx 1.14.2ですが、
nginxに下記の項目は記述しています。

> The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "X-Robots-Tag" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "X-Download-Options" HTTP header is not set to "noopen". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
> The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

URLスキャンツールで、
例えばmozilla(https://observatory.mozilla.org/)で試すと、
上記はセットされていると認識されています。
どちらが正しいのでしょうか?