HSTS set up but not recognized

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 31.0.6
  • Operating system and version (e.g., Ubuntu 24.04):
    • Almalinux 5.14.0-503.38.1.el9_5.x86_64
  • Web server and version (e.g, Apache 2.4.25):
    • Apache/2.4.62
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • n/a
  • PHP version (e.g, 8.3):
    • PHP 8.2.28
  • Is this the first time you’ve seen this error? (Yes / No):
    • No, it's been there for a whole
  • When did this problem seem to first start?
    • 2 years ago maybe
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • Bare Metal
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

  • Admin panel complains that Some headers are not set correctly on your instance - TheStrict-Transport-SecurityHTTP header is not set (should be at least15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the [documentation ↗](https://docs.nextcloud.com/server/31/go.php?to=admin-security).

Measures Taken:

  1. httptools.dev Shows HSTS implemented correctly!
  2. On localhost, curl -s -D- https://nextcloud.mydomain.com| grep -i strict-transport-security: shows Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "nextcloud.werkraum.hk",
            "cloud.thewanch.hk"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.6.2",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "default_phone_region": "HK",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "maintenance": false,
        "maintenance_window_start": 5,
        "theme": "",
        "loglevel": 2,
        "log_type": "file",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "PLAIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "data-fingerprint": "b0a4d505483d086847b732861ab2fb9a",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "news"
        ],
        "memories.db.triggers.fcu": true,
        "memories.exiftool_no_local": true,
        "memories.vod.path": "\/var\/www\/nextcloud\/public_html\/apps\/memories\/bin-ext\/go-vod-amd64",
        "memories.vod.ffmpeg": "\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/bin\/ffprobe"
    }
}

Apps

Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - app_api: 5.0.2
  - assistant: 2.4.0
  - calendar: 5.3.2
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.1.3
  - contactsinteraction: 1.12.0
  - context_chat: 4.3.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - forms: 5.1.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - memories: 7.5.2
  - news: 26.0.1
  - notes: 4.12.1
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - quota_warning: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - richdocuments: 8.7.1
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - spreed: 21.1.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - talk_matterbridge: 1.31.1026000
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - updatenotification: 1.21.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - whiteboard: 1.0.5
  - workflowengine: 2.13.0
Disabled:
  - bruteforcesettings: 4.0.0 (installed 3.0.0)
  - encryption: 2.19.0
  - files_external: 1.23.0
  - nextcloud_announcements: 3.0.0 (installed 1.14.0)
  - suspicious_login: 9.0.1 (installed 6.0.0)
  - user_ldap: 1.22.0

If the implemented script checks all trusted domains, the localhost might cause a problem.

I don’t know on a bare metal without reverse proxy, it should detect correclty normally …

1 Like

This topic has been discussed here many times. Please search the forum.