Fix security header setting in .htaccess by adding 'onsuccess unset'

The headers might already be set by the system administrator at the http server
level (apache or nginx) for some or all virtualhosts.

Using "always set" in the .htaccess of Nextcloud leads to the situation where
the headers might be set twice (once in the default 'onsuccess' table and once
in the 'always' table)! Which leads to warnings in the admin area.

Adding "onsuccess unset" solves the problem, and forces the header in
the 'onsucess' table to be unset, and the header in the 'always' table to be set.

NOTE: with this change, Nextcloud overrides whatever the system administrator
might have already set

See github issues nextcloud#16893 nextcloud#16476 nextcloud#16938 nextcloud#18017 and discussion in PR nextcloud#19002

Signed-off-by: zertrin <[email protected]>

Author: zertrin

.htaccess

@@ -11,13 +11,13 @@
 
   <IfModule mod_env.c>
     # Add security and privacy related headers
-    Header always set Referrer-Policy "no-referrer"
-    Header always set X-Content-Type-Options "nosniff"
-    Header always set X-Download-Options "noopen"
-    Header always set X-Frame-Options "SAMEORIGIN"
-    Header always set X-Permitted-Cross-Domain-Policies "none"
-    Header always set X-Robots-Tag "none"
-    Header always set X-XSS-Protection "1; mode=block"
+    Header always setifempty Referrer-Policy "no-referrer"
+    Header always setifempty X-Content-Type-Options "nosniff"
+    Header always setifempty X-Download-Options "noopen"
+    Header always setifempty X-Frame-Options "SAMEORIGIN"
+    Header always setifempty X-Permitted-Cross-Domain-Policies "none"
+    Header always setifempty X-Robots-Tag "none"
+    Header always setifempty X-XSS-Protection "1; mode=block"
     SetEnv modHeadersAvailable true
   </IfModule>