Kolab Now and SFOS 3.4

of course.
Like previously, all test were run with my ‘user@domain’.

correct password;

$ curl -I -L --anyauth --user user@domain https://apps.kolabnow.com/.well-known
Enter host password for user '…':
HTTP/1.1 401 Unauthorized
Date: Wed, 13 Jan 2021 20:53:43 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: connect-src 'self';             child-src 'self';             font-src 'self';             form-action 'self' data:;             frame-ancestors 'self';             frame-src 'self';             img-src data: 'self';             media-src 'self';             object-src 'self';             script-src 'self' 'unsafe-inline' 'unsafe-eval';             style-src 'self' 'unsafe-eval' 'unsafe-inline';             default-src 'none';             reflected-xss block;             referrer no-referrer;
WWW-Authenticate: Basic realm="KolabDAV"
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Type: application/xml; charset=utf-8

HTTP/1.1 404 Not Found
Date: Wed, 13 Jan 2021 20:53:43 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: connect-src 'self';             child-src 'self';             font-src 'self';             form-action 'self' data:;             frame-ancestors 'self';             frame-src 'self';             img-src data: 'self';             media-src 'self';             object-src 'self';             script-src 'self' 'unsafe-inline' 'unsafe-eval';             style-src 'self' 'unsafe-eval' 'unsafe-inline';             default-src 'none';             reflected-xss block;             referrer no-referrer;
X-Sabre-Version: 2.1.11
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Type: application/xml; charset=utf-8

wrong password;

$ curl -I -L --anyauth --user user@domain https://apps.kolabnow.com/.well-known
Enter host password for user '…':
HTTP/1.1 401 Unauthorized
Date: Wed, 13 Jan 2021 20:53:50 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: connect-src 'self';             child-src 'self';             font-src 'self';             form-action 'self' data:;             frame-ancestors 'self';             frame-src 'self';             img-src data: 'self';             media-src 'self';             object-src 'self';             script-src 'self' 'unsafe-inline' 'unsafe-eval';             style-src 'self' 'unsafe-eval' 'unsafe-inline';             default-src 'none';             reflected-xss block;             referrer no-referrer;
WWW-Authenticate: Basic realm="KolabDAV"
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Type: application/xml; charset=utf-8

HTTP/1.1 401 Unauthorized
Date: Wed, 13 Jan 2021 20:53:50 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: connect-src 'self';             child-src 'self';             font-src 'self';             form-action 'self' data:;             frame-ancestors 'self';             frame-src 'self';             img-src data: 'self';             media-src 'self';             object-src 'self';             script-src 'self' 'unsafe-inline' 'unsafe-eval';             style-src 'self' 'unsafe-eval' 'unsafe-inline';             default-src 'none';             reflected-xss block;             referrer no-referrer;
WWW-Authenticate: Basic realm="KolabDAV"
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Type: application/xml; charset=utf-8

not using any auth;

$ curl -I -L  https://apps.kolabnow.com/.well-known
HTTP/1.1 401 Unauthorized
Date: Wed, 13 Jan 2021 20:54:28 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: connect-src 'self';             child-src 'self';             font-src 'self';             form-action 'self' data:;             frame-ancestors 'self';             frame-src 'self';             img-src data: 'self';             media-src 'self';             object-src 'self';             script-src 'self' 'unsafe-inline' 'unsafe-eval';             style-src 'self' 'unsafe-eval' 'unsafe-inline';             default-src 'none';             reflected-xss block;             referrer no-referrer;
WWW-Authenticate: Basic realm="KolabDAV"
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Type: application/xml; charset=utf-8