HSTS config doesn't work

Whisht · April 26, 2018, 7:38am

Hi, there!
I have config the HSTS according to the documents, but I still have the Warning message below:

The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the [security tips]
Here is my conf file:

Alias /nextcloud "/var/www/html/nextcloud/"
<VirtualHost *:80>
  ServerName ****
  DocumentRoot /var/www/html/nextcloud/
  <Directory /var/www/html/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All

    <IfModule mod_dav.c>
      Dav off
    </IfModule>

    SetEnv HOME /var/www/html/nextcloud
    SetEnv HTTP_HOME /var/www/html/nextcloud
  </Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =***
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
  ServerName ***
  DocumentRoot /var/www/html/nextcloud/
   <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>
 </VirtualHost>

BTW, I have enable header module of apache.
Could you please help me figure this out? Thanks~

wobbegong · May 20, 2018, 12:20pm

Maybe double-check that the module is running (maybe you didn’t restart apache?). You used something like this to install?

a2enmod headers
apache2 restart

Is the module listed if you type the following?
apache2ctl -M | grep -i headers

Did you double-check that https is used?

Nemskiller · May 21, 2018, 9:00am

Yes check if you enabled well the headers module.