HTTP Strict Transport enabled, but alert on Nextcloud 30

ivnmad · September 30, 2024, 10:01am

After upgrading from Nextcloud 29 to Nextcloud 30, I’ve realised that I’m now getting the HTTP Strict Transport alert, even if I wasn’t getting it before and everything seems to working fine.

I have the following in my .conf

<VirtualHost *:443>
  ServerName <myhost>.com
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>
 </VirtualHost>

This is what curl -I -L https://<myhost>/ shows:

HTTP/2 302
content-security-policy: default-src ‘self’; script-src ‘self’ ‘nonce-isJAwWo9bR00Lp1hlrf5ADgQAKLP6dOiMWsjAmVnO6k=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’;
set-cookie: oc_sessionPassphrase=NjFUnF3nj0wS4t3XBZ9NM9yreilG6biF4GZdjb0f4k1AOC5MNaqxn4PixqaJlaNGp%2FGsiTEOH%2B4Az0oxO7%2FheoPXU%2BWVuYf%2FJcGV84F6eWTAWAkC17Fx5O1SEM9w%2Be63; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: ocp1egv7aces=cagq1b3ocer07bl2lgjlnbu56e; path=/; secure; HttpOnly; SameSite=Lax
strict-transport-security: max-age=15552000; includeSubDomains
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

Any idea why that is happening?

jtr · October 1, 2024, 3:24pm

Which one are you getting precisely? There are at least three variations.

Also, what is your installation method? And where did the curl get ran from?

The checks have been evolving throughout the 28-30 development cycles. They’re now all server-side and thus more dependent on the URLs specified in your trusted_domains and overwrite.cli.url config values.

ivnmad · October 1, 2024, 3:52pm

This is the alert I was getting

Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation .

The original Nexcloud installation was done manually (I think it was version 27 to start with), but I’ve been upgrading it using the funtionality under Administration Settings since.

curl was run from another computer and not from the server itself.

trusted_domains is setup correcly, but…

overwrite.cli.url’ => ‘http://localhost/nextcloud’
I changed that to match the actual domain Nextcloud runs on and the alert has disappeared.

As said, it was still working fine, but I couldn’t understand why I was getting an alert that I wasn’t getting before. As you said, something must have changed in the checks and that had become an issue.

Thank you for the help.

jtr · October 1, 2024, 4:02pm

Correct.

Release Notes - Critical Changes - Setup Checks

Rianp1 · October 5, 2024, 12:13am

thanks, this was my problem, mine had the Ip addres and port to acces nextcloud, i changed it my domain address includding https:// and it worked

system · October 13, 2024, 12:14am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.