Help me to enable HSTS (HTTP Strict Transport Security) on my NC22 instance, please!

I’ ve installed and running NC22.1.0.

I get the following security warning: "The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ".

Even there is a written security tip, I did not manage to enable HSTS on my NC22 instance so far.

May someone post his experience here, please, how he managed to enable HSTS

Which file(s) have been affected?
Which code exactely has been written?

Thanks.

The mentioned warning has nothing to do with Nextcloud itself but the configuration of your web server.
Unfortunately you haven’t provided any valuable information about your environment, the used web server, software version, how you’ve tried to enable HSTS, etc., etc., so that it isn’t possible to give you any advise except to ask aunt G. for help on how to configure your web server.

1 Like

Did you restart the web server? Cleared your browser cache?
What web server do you use: Apache? nginx?
What guide did you use to install NC?

1 Like

Dear j-ed: I beg you pardon. You are absolutely right. I was less than poor regarding my context.
This is was I found regarding my environment/setup:

Operating System: Linux 5.11.0-25-generic x86_64
CPU: Intel(R) Core™ i3-8109U CPU @ 3.00GHz (4 cores)
Memory: 15.50 GB
PHP: 8.0.9
Database: mysql 10.3.30
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-07-05T07:16:56

Please let me know, if you need more information.
Best regards,
Soto

Dear henry:
My context is this:
Operating System: Linux 5.11.0-25-generic x86_64
CPU: Intel(R) Core™ i3-8109U CPU @ 3.00GHz (4 cores)
Memory: 15.50 GB
PHP: 8.0.9
Database: mysql 10.3.30
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-07-05T07:16:56

Yes, I restarted the apache web server by saying with root rights:
service apache2 restart

Yes, I cleared the browser’s cache.

I basically followed: https://docs.nextcloud.com/server/22/admin_manual/installation/harden_server.html

Best regards,
Soto

How did you determine that HSTS is not enabled?
Did you run it through Qualsys test?
https://www.ssllabs.com/ssltest/index.html

This is what you get when installing Hansson’s VM, for example
image

1 Like

When I run my domain in SSL Server Test (Powered by Qualys SSL Labs) I get an Overall Rating A, i.e.not an A+ like in your example (Hansson’s VM).

endit your /etc/apache2/sites-enabled-le-ssl.conf file aand add the following code under the <Virtualhost *:443> header just after the Servername should be fine:

    <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; >
    </IfModule>

Save the file. Restart apache2 using the following or your system’s equivalent:

systemctl restart apache2

Done. :slight_smile:

8 Likes

Thank you all tree (@j-ed, @anon71540698 and @wizlon) for having guided me - a NC beginner - towards a solution within one day!

My problem was that I added the documented code for HSTS to another than the correct Apache VirtualHost file.

Now the security warning: "The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips " has disapperad.
Thank you so much!

2 Likes

Thank you so much! Worked perfectly!

This worked for me, thanks!

For anybody using shared hosting without access to the server config, you can set this header in the .htaccess file in the Nextcloud root dir.

On a new line at the bottom of the file, add the following to satisfy the warning:

# Satisfy Nextcloud HSTS warning.
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

Bonus: You can also check your setup and submit your domain for Google Chrome preloading here: https://hstspreload.org/

1 Like

Work fine

Nextcloud HUB 8 - 29.0.7

14.09.2024

1 Like