HSTS error still present

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Hi, after several attempts and modifications of the conf files, I am left with the error in question. I followed the directions on the site, adding the string to the default-ssl.conf file, but the problem persists. Checking with the site “hstspreload.org” indicated in the guides and entering my domain, this is what comes out:

Error: No HSTS header
Response error: No HSTS header is present on the response

As for the redirect, I temporarily disabled it to connect locally and upload files faster, but I can’t activate HSTS.

Nextcloud version :
Operating system and version : Raspbian Bullseye 64bit
Apache version: Apache 2.4.52
PHP version : 8.0

The issue you are facing:
The "Strict-Transport-Security" HTTP header is not configured with a value of at least "15552000" seconds. To enhance security, we recommend enabling HSTS as described in Security Tips ↗

Is this the first time you’ve seen this error? : Y

The output of your config.php file in /var/ww/nextcloud/conf:

$CONFIG = array (
  'instanceid' => '--------------------',
  'passwordsalt' => '-------------------------------',
  'secret' => '--------------------------',
  'trusted_domains' => 
  array (
    0 => 'RPI.IP',
    1 => 'MY.DOMAIN.COM',
  'default_phone_region' => 'IT',
  'datadirectory' => '/DATA/DIRECTORY/NextCloud',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => 'http://RPI.IP/nextcloud',
  'dbname' => '[MYDBNAME]',
  'dbhost' => '[MYHOST]',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '[MYUSER]',
  'dbpassword' => '[MYPASSWORD]',
  'installed' => true,
  'filelocking.enabled' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '',
    'port' => 6379,

The output of your default-ssl.conf file in /etc/apache2/sites-available:

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		#ServerAdmin webmaster@localhost

		DocumentRoot /var/www/nextcloud
		ServerName MY.DOMAIN.COM
			<IfModule mod_headers.c>
				Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars

		Include	/etc/letsencrypt/options-ssl-apache.conf
		SSLCertificateFile /etc/letsencrypt/live/MY.DOMAIN.COM/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/MY.DOMAIN.COM/privkey.pem

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The output of your 000-default.conf file in /etc/apache2/sites-available:

<VirtualHost *:80>
	#Redirect permanent / https://MY.DOMAIN.COM/index.php/login

	#ServerAdmin webmaster@localhost
	DocumentRoot /var/www/nextcloud

	<Directory /var/www/nextcloud/>
		RewriteEngine On
		RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
		RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
		RewriteRule ^/\.well-known/host-meta https://%{SERVER_NAME}/public.php?service=host-meta [QSA,L]
		RewriteRule ^/\.well-known/host-meta\.json https://%{SERVER_NAME}/public.php?service=host-meta-json [QSA,L]
		RewriteRule ^/\.well-known/webfinger https://%{SERVER_NAME}/public.php?service=webfinger [QSA,L]	


	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

I have been facing this issue for about a day and just solved it.
I am still learning so i google and mess around with things A LOT.

But this thread helped: "Strict-Transport-Security" HTTP header (HSTS) - #8 by JoshInGeneral

add this AT THE END of your .htaccess file. It should be in your Nextcloud folder (/var/www/…/nextcloud/.htaccess)

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000; always"
Options -Indexes

run sudo systemctl restart apache2

Thanks for the advice, however I too, after a week of attempts (I also formatted the sd a dozen times), I realized that the string in question I had to insert the file ‘000-default-le-sll.conf’ at instead of ‘default-ssl.conf’. Saved and restarted Apache the “problem” is gone.