diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
index e1dca51c9..97aefb554 100644
--- a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
+++ b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
@@ -141,6 +141,19 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
     ctl:ruleRemoveById=953100-953130,\
     ctl:ruleRemoveById=920440"
 
+# Allow REPORT requests without Content-Type header (at least the iOS app does this)
+
+SecRule REQUEST_METHOD "@streq REPORT" \
+    "id:9003121,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
+        "t:none,\
+        ctl:ruleRemoveById=920340"
+
 
 # [ Searchengine ]
 #