Cannot get rid of Strict-Transport-Security" HTTP header warning message

I using 12.0.3 on RPI3, installed 11.0.3 using app installer provided by berryboot, upgraded since :wink: .
Cannot seem to get rid of “Strict-Transport-Security” HTTP header warning message.
I’ve followed instructions from;
and added:

<VirtualHost *:80>
Redirect permanent / https://
< /VirtualHost>

> <VirtualHost *:443>
> ServerName mypi.
> Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
> < /VirtualHost>

to my virtual host files, but warning doesn’t go away.

My rpi is behind an ISP firewall and a router and ports 80 and 443 were already in use and forward to a VM running OpenERP (Now called Odoo). So i have external port (2443) forwarding to internal_IP_of_RPI:443.

Works fine, also for sharing, but could this be the reason for the warning is still being trigered?

I’ve tried to replicate the error in another, manually installed LAMP Ubuntu16LTS, instance of Nextcloud 12.0.3 in Virtualbox, but cant do it, warning message disappears after adding code to VirtualHosts and reloading Apache2.

In the documentation you see that the module mod_headers needs to be enabled:
a2enmod mod_headers

and restart apache. With curl -vvvv you should be able to see all the headers sent and if the HSTS headers are sent as well.

I’m not sure exactly what your problem is, but I had a problem where I configured strict security which caused a redirect to HTTPS but when I removed this configuration my browser was still doing the redirect. The problem is that the strict security is cached. In my browser I found the site in my history and right clicked on the page and selected “Forget about this Site” from the context menu. After this I could connect again on HTTP.

Thanks for pointing me in the right direction.

sudo a2enmod mod_headers
ERROR: Module mod_headers does not exist!

Did a further search on that error and found following solution:
Adding the line

LoadModule headers_module /usr/lib/apache2/modules/

to apache2.conf and reloading service did the trick.