HSTS Header Not Detected by Nextcloud

mb19 · November 13, 2024, 10:01am

Hello Nextcloud Community,

My instance shows the following warning:

The HTTP header Strict-Transport-Security is not configured to at least 15552000 seconds. For enhanced security, it is recommended to enable HSTS

Despite having the following directive set in my Apache VirtualHost configuration:

Header always set Strict-Transport-Security "max-age=15552001; includeSubDomains; preload"

I’ve tried:

Clearing browser cache:
Verifying Apache syntax → OK
Checking the header with curl: → Strict-Transport-Security: max-age=15552001; includeSubDomains; preload

However, Nextcloud continued to display the warning.

Finally, I’ve added the HSTS header configuration directly to the .htaccess file in the Nextcloud root directory and ran the command:

sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess

After doing this, the warning in Nextcloud has disappeared, and it recognized the HSTS header correctly.

My question is, why does Nextcloud not detect the HSTS configuration set in the Apache VirtualHost? I don’t want to place it in the application’s .htaccess file because it will be overwritten during updates.

Thank you!

rakekniven · November 13, 2024, 4:02pm

My question to you is why don’t you use the template for creating support topics and we have to ask things like webserver version and OS now?

Personally I use apache v2.4.52 on Ubuntu 22.04 and the site conf contains the following:

<VirtualHost *:443>

    Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"

...

The syntax is different to yours but nextcloud is not complaining.
Are you sure your settings work? Have you tried checking your site using online tools like quallys or similar?

mb19 · November 13, 2024, 7:07pm

Sorry, this is the information:

operating system:

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

apache version:

Server version: Apache/2.4.62 (Debian)
Server built:   2024-07-22T12:30:55

unfortunately with the directive you indicate it is still not detected:

but yes, with curl I can see that it is there, but nextcloud does not detect it.

wwe · November 15, 2024, 10:47am

please review topics tagged with setup_warning this was discussed often in the past.

bb77 · November 15, 2024, 1:15pm

Is the Apache headers module enabled?

Show all loaded modules:

apachectl -M

If it’s missing, you can enable it as follows:

a2enmod headers && systemctl restart apache2

mb19 · November 19, 2024, 10:23am

Hello, thanks for the reply, yes it is

system · February 17, 2025, 10:23am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.