diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
index e19442457..ca5cbf7f3 100644
--- a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
+++ b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
@@ -149,6 +149,19 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
     ctl:ruleRemoveById=920440,\
     ver:'OWASP_CRS/3.2.0'"
 
+# Allow REPORT requests without Content-Type header (at least the iOS app does this)
+
+SecRule REQUEST_METHOD "@streq REPORT" \
+    "id:9003121,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
+        "t:none,\
+        ctl:ruleRemoveById=920340"
+
 
 # [ Searchengine ]
 #