Docker Traefik Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds

Hello, I’m having an issue trying to get Nextcloud to stop reporting the following error in Security & setup warnings:

Strict-Transport-Security" HTTP header is not set to at least “15552000” seconds

I’m using Nextcloud 19.0.3 apache docker image with Traefik 2 as the reverse proxy. I have the following labels setup in my Nextcloud docker-compose.yml file:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.cloud.entrypoints=http"
  - "traefik.http.routers.cloud.rule=Host(`$HOST.$DOMAIN`)"
  - "traefik.http.middlewares.cloud-https-redirect.redirectscheme.scheme=https"
  - "traefik.http.routers.cloud.middlewares=cloud-https-redirect"
  - "traefik.http.routers.cloud-secure.entrypoints=https"
  - "traefik.http.routers.cloud-secure.rule=Host(`$HOST.$DOMAIN`)"
  - "traefik.http.routers.cloud-secure.tls=true"
  - "traefik.http.routers.cloud-secure.tls.certresolver=le"
  - "traefik.http.routers.cloud-secure.service=cloud"
  - "traefik.http.services.cloud.loadbalancer.server.port=80"
  - "traefik.docker.network=proxy"
  - "traefik.http.middlewares.cloud.headers.customFrameOptionsValue=SAMEORIGIN"
  - "traefik.http.middlewares.cloud.headers.framedeny=true"
  - "traefik.http.middlewares.cloud.headers.sslredirect=true"
  - "traefik.http.middlewares.cloud.headers.STSIncludeSubdomains=true"
  - "traefik.http.middlewares.cloud.headers.STSPreload=true"
  - "traefik.http.middlewares.cloud.headers.STSSeconds=315360000"
  - "traefik.http.middlewares.cloud.headers.forceSTSHeader=true"
  - "traefik.http.middlewares.cloud.headers.sslProxyHeaders.X-Forwarded-Proto=https"
  - "traefik.http.middlewares.cloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
  - "traefik.http.middlewares.cloud-dav.replacepathregex.replacement=/remote.php/dav/"

I have also verified under Traefik HTTP Middlewares that the cloud@docker is showing the following:

STS SECONDS 315360000
STS INCLUDE SUBDOMAINS True
STS PRELOAD True
FORCE STS HEADER True
FRAME DENY True

Yet I cannot get that warning to go away. Any ideas?

Hello! I am not using docker myself, but I had this same 15552000 HSTS problem persisting with my NextCloudPi install, even when I made totally sure the settings were correct.

In the end the problem was that Cloudflare had it’s own HSTS-settings overriding that max-age value and setting it to null. :see_no_evil: You can scan your domain headers f.ex. here and see if the report shows the max-age values you have set.