Activating HSTS at hoster Ionos


I’m running a nextcloud installation in a web space of ionos (former 1&1). In the settings section I got the message
Der "Strict-Transport-Security“-HTTP-Header ist nicht auf mindestens "15552000“ Sekunden eingestellt. Für mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in den Sicherheitshinweisen erläutert ist.
I read the instruction - there is written that I have to edit die virtualhost file of apache. I can’t do that because I have a web space packagehosted at IONOS.
I found some forum threads/articles where is suggested to edit the .htaccess.
So added the following block in .htaccess file in the nextcloud root directory:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" env=HTTPS
Unfortunately this modification has no effect.
I also tried a lot of similar codes - all of them don’t work.

Does someone has an idea how to solve this issue?

Thanks in advanced for your help!

Try to replace env=HTTPS with "expr=%{HTTPS} == 'on'".

HTTPS is an environment variable that is not necessarily set and in your case only checked for existence and not its value. To check the Apache2-internal variable for HTTPS state correctly, on Apache 2.4+ use the above statement.

Hi Michalng,

thx for your help. Unfortunately the modification has no effect. To be sure that I have not done another mistake here is the patly content of the .htaccess:

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" "expr=%{HTTPS} == 'on'"

I’m not familar with the rewrite options, so perhaps there is also a modification required:

 <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{HTTP_USER_AGENT} DavClnt
      RewriteRule ^$ /remote.php/webdav/ [L,R=302]
      RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
      RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
      RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
      RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
      RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
      RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
      RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
      RewriteRule ^remote/(.*) remote.php [QSA,L]
      RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
      RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
      RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]

But mod_headers is active and Apache is v2.4, right? I’m personally no fan of those <IfModule> directives as I rather want a quick and hard error about invalid directives instead of silently missing some (security-)relevant ones.

Is your website available via Ionos domain? If so I can imagine that they simply filters/overrides the HSTS header as clients store it for the whole domain. But you should know or be able to get this info from Ionos :wink:.

Maybe I have the same problem. A customer from me is at Ionos, too. When I set Header, the Header will be send on http. But not on https. I think the header are removed on https. Can’t set X-Frame-Options or Strict-Transport-Security.