Feature Request: Support for reverse-proxy-only SSL deployments in header validation checks

[GuyOxford-com]

Problem

ownCloud currently performs internal HTTP(S) requests to validate security headers (e.g., X-Frame-Options, X-Content-Type-Options). In reverse-proxy-only SSL setups — where HTTPS is terminated at the proxy and the backend serves plain HTTP — these internal checks fail, even when headers are correctly injected and externally visible.

Expected Behavior

ownCloud should support deployments where:

• SSL is terminated at a reverse proxy
• The backend (e.g., Apache) serves HTTP only
• All required headers are injected at the proxy or backend
• External clients and curl confirm header presence

Actual Behavior

ownCloud reports missing headers in the admin UI, despite:

• Headers being present on /status.php and /index.php
• Verified via curl and browser
• overwrite.cli.url, overwritehost, and overwriteprotocol set
• trusted_proxies and forwarded_for_headers configured

Suggested Solution

• Allow disabling internal header validation via config.php
• Or, allow specifying a custom internal endpoint for header checks
• Or, detect and trust headers from overwriteprotocol and trusted_proxies context

Environment

• ownCloud version: 10.15.3.0
• Reverse proxy: CloudPanel-managed Nginx
• Backend: Apache (HTTP only)
• OS: Ubuntu 22.04