HSTS config doesn't work

Hi, there!
I have config the HSTS according to the documents, but I still have the Warning message below:

  • The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the [security tips]
    Here is my conf file:
Alias /nextcloud "/var/www/html/nextcloud/"
<VirtualHost *:80>
  ServerName ****
  DocumentRoot /var/www/html/nextcloud/
  <Directory /var/www/html/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All

    <IfModule mod_dav.c>
      Dav off

    SetEnv HOME /var/www/html/nextcloud
    SetEnv HTTP_HOME /var/www/html/nextcloud
RewriteEngine on
RewriteCond %{SERVER_NAME} =***
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
<VirtualHost *:443>
  ServerName ***
  DocumentRoot /var/www/html/nextcloud/
   <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

BTW, I have enable header module of apache.
Could you please help me figure this out? Thanks~

Maybe double-check that the module is running (maybe you didn’t restart apache?). You used something like this to install?

a2enmod headers
apache2 restart

Is the module listed if you type the following?
apache2ctl -M | grep -i headers

Did you double-check that https is used?

1 Like

Yes check if you enabled well the headers module.