Iâm running a nextcloud installation in a web space of ionos (former 1&1). In the settings section I got the message Der "Strict-Transport-Securityâ-HTTP-Header ist nicht auf mindestens "15552000â Sekunden eingestellt. FĂźr mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in den Sicherheitshinweisen erläutert ist.
I read the instruction - there is written that I have to edit die virtualhost file of apache. I canât do that because I have a web space packagehosted at IONOS.
I found some forum threads/articles where is suggested to edit the .htaccess.
So added the following block in .htaccess file in the nextcloud root directory: Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" env=HTTPS
Unfortunately this modification has no effect.
I also tried a lot of similar codes - all of them donât work.
Try to replace env=HTTPS with "expr=%{HTTPS} == 'on'".
HTTPS is an environment variable that is not necessarily set and in your case only checked for existence and not its value. To check the Apache2-internal variable for HTTPS state correctly, on Apache 2.4+ use the above statement.
thx for your help. Unfortunately the modification has no effect. To be sure that I have not done another mistake here is the patly content of the .htaccess:
But mod_headers is active and Apache is v2.4, right? Iâm personally no fan of those <IfModule> directives as I rather want a quick and hard error about invalid directives instead of silently missing some (security-)relevant ones.
Is your website available via Ionos domain? If so I can imagine that they simply filters/overrides the HSTS header as clients store it for the whole domain. But you should know or be able to get this info from Ionos .
Maybe I have the same problem. A customer from me is at Ionos, too. When I set Header, the Header will be send on http. But not on https. I think the header are removed on https. Canât set X-Frame-Options or Strict-Transport-Security.