Issue with HSTS beeing to short, when I did not configure it

ℹ️ Support
1

Hi,

My Host allows me to send HSTS headers which I usually configure, but if I do this as normal (apache config), I do get a warning about more then one HSTS header has been send out

“Server provided more than one HSTS header”

Is Nextcloud sending HSTS headers themself ?

2

No. So this either is a bug in the header detection (unlikely) or something else in your setup adds it twice (my bet is on that).

Can you post the results of curl -v https://example.com/? Obviously replace example.com with your own domain :slight_smile:

3

Yeah, guessing the same, was just a bit puzzled as other domains work fine.

root@jessie-rpi:~# curl -v https://sub.domain.tld/cloud
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 1.2.3.4...
* Connected to sub.domain.tld (1.2.3.4) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: CN=sub.domain.tld
*        start date: 2016-06-15 15:19:00 GMT
*        expire date: 2016-09-13 15:19:00 GMT
*        subjectAltName: sub.domain.tld matched
*        issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*        SSL certificate verify ok.
> GET /cloud HTTP/1.1
> User-Agent: curl/7.38.0
> Host: sub.domain.tld
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 26 Jun 2016 20:39:40 GMT
* Server Apache is not blacklisted
< Server: Apache
< Strict-Transport-Security: max-age=31536000
< Location: https://sub.domain.tld/cloud/
< Vary: Accept-Encoding
< Content-Length: 245
< Content-Type: text/html; charset=iso-8859-1
<
{ [data not shown]
100   245  100   245    0     0    911      0 --:--:-- --:--:-- --:--:--   917
* Connection #0 to host sub.domain.tld left intact