HSTS Problem, Caddy and docker compose

ℹ️ Support
, , , ,
1

So i would say this might be a simple problem, but i have not figured out how to fix it. So im going for perfect nextcloud install, like not having any errors atleast, but that seems to go downhill when i tried to fix the hsts error. It has never really been a problem on previous installs, but now im using caddy and suddenly it got worse. so here is the error

Some headers are not set correctly on your instance - The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗

This is a bit wierd for me becouse doing a simple

curl -I https://example.com

gives me the output

strict-transport-security: max-age=15552000; includeSubDomains

Which should just remove the whole error message, no?
im using nextcloud version 30.0.0 aswell as php: 8.2.23 i previously used NPM Nginx proxy manager
my Caddyfile incudes

example.com {
    route {
        crowdsec
        reverse_proxy 192.168.1.145:8080 {
            transport http {
                read_buffer 20MB
                write_buffer 20MB
            }
        }
    }
    encode gzip
    tls internal
    header {
        Strict-Transport-Security "max-age=15768000; includeSubDomains"
    }
    log {
        format json
        output file /var/log/caddy/example.com.log
    }
}

Note: this is just a snippet. Also the max-age is diffrent in the caddyfile becouse i tested if increasing it would do fix the error which it did not do.

2

Try following headers:

header {
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                X-Robots-Tag "noindex,nofollow"
                X-Download-Options "noopen"
                X-Permitted-Cross-Domain-Policies "none"
                X-Frame-Options "sameorigin"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "no-referrer"
        }
3

Thank you for responding but saddly still getting the

Some headers are not set correctly on your instance - The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation ↗.

my caddyfile header config is now like this

    encode gzip
#    tls internal
    header {
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                X-Robots-Tag "noindex,nofollow"
                X-Download-Options "noopen"
                X-Permitted-Cross-Domain-Policies "none"
                X-Frame-Options "sameorigin"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "no-referrer"
    }
    log {
        format json
        output file /var/log/caddy/example.com.log
    }
}
4

I had the same problem and found the following soolution.

I changed the overwrite.cli.url config of the Nextcloud from http://localhost to my external url https://cloud.example.com, which fixed the error for me.

5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.