Finetuning HSTS on Nextcloud

Guido_van_Harten · November 3, 2017, 9:25pm

Due to the warning
"The “Strict-Transport-Security” HTTP header is not configured…"
I added my conf file with the following lines:

<VirtualHost *:443>
ServerName my.domain.com

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

On https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html#enable-hsts-label I read the tip to add “; preload”. Do I add this before or after the quote?
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
or
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”; preload

Regards,
Guido

Soko · November 5, 2017, 9:48am

should work…
https://hstspreload.org/

Guido_van_Harten · November 5, 2017, 11:13am

Ok, I didn’t tell that I visited that website already.
On that website I got two replies:

Error: subdomain
my.domain.com is a subdomain. Please preload domain.com instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)

Error: No HSTS header
Response error: No HSTS header is present on the response.

(my.domain.com is fake in this topic. I am using my real domain name)

Regards,
Guido