Nextcloud AIO Latest: resolve Some headers are not set correctly on your instance - The `Strict-Transport-Security` HTTP header message

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.

The Basics

• Nextcloud Server version (e.g., 29.x.x):
  • Nextcloud Hub 10 (31.0.8)
• Operating system and version (e.g., Ubuntu 24.04):
  • Ubuntu 25.04 server
• Web server and version (e.g, Apache 2.4.25):
  • Whats shipped with nextcloud AIO - Apache/2.4.65
• Reverse proxy and version _(e.g. nginx 1.27.2)
  • Traefik 3.5.1
• PHP version (e.g, 8.3):
  • Whats shipped with nextcloud AIO - PHP 8.3.25
• Is this the first time you’ve seen this error? (Yes / No):
  • no
• When did this problem seem to first start?
  • When Nextcloud first ran and generated the security report
• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • Docker AIO
• Are you using CloudfIare, mod_security, or similar? (Yes / No)
  • Cloudflare

Summary of the issue you are facing:

Nextcloud security report shows the following message

Some headers are not set correctly on your instance - The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `2592000`). For enhanced security, it is recommended to use a long HSTS policy.

Steps to replicate it (hint: details matter!):

1. Log in as Admin.

2. The security report is generated and reports the above

What was done so far

Edited .htaccess to added at line 155

AddDefaultCharset utf-8
Options -Indexes

DO NOT CHANGE ANYTHING ABOVE THIS LINE #### ErrorDocument 403 /index.php/error/403 ErrorDocument 404 /index.php/error/404

Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains; preload”
Header set Referrer-Policy “no-referrer”

I’ve also added the following in my nextcloud middlewares

Neither works.

This is the traefik app-nextcloud.yml

http:
  routers:
    nextcloud-rtr:
      rule: "Host(`nextcloud.{{env "DOMAINNAME_1"}}`)" 
      entryPoints:
        - websecure-external
        - websecure-internal
      middlewares:
        - chain-nextcloud-no-auth
      service: nextcloud-svc
      tls:
        certResolver: dns-cloudflare
        options: tls-opts@file
  services:
    nextcloud-svc:
      loadBalancer:
        servers:
          - url: "http://<vm_ip_address>:11000" # http://IP-ADDRESS:PORT

chain-nextcloud-no-auth

http:
  middlewares:
    chain-nextcloud-no-auth:
      chain:
        middlewares:
          - middlewares-rate-limit
          - nextcloud-secure-headers
          #- nextcloud-middlewares-secure-headers
          # - middlewares-compress

middlewares-nextcloud-secure-headers

http:
  middlewares:
    nextcloud-secure-headers:
      headers:
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        referrerPolicy: "same-origin"
        customResponseHeaders:
          X-Robots-Tag: "noindex, nofollow"
          Strict-Transport-Security: "max-age=15552000
          Permissions-Policy: "geolocation=(self), microphone=(), camera=(), fullscreen=*"
          stsSeconds: "15552000"
          stsIncludeSubdomains: "true"
          stsSTSPreload: "true"
    https-redirect:
      redirectscheme:
        scheme: https
        permanent: true

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

This is the closest error I could find
RuntimeException The loading of lazy AppConfig values have been triggered by app "admin_audit"

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

PASTE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

no references to Strict-Transport-Security in traefik logs.

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

sudo -u www-data php /var/www/html/occ config:list system

Warning: Failed to set memory limit to 0 bytes (Current memory usage is 2097152 bytes) in Unknown on line 0
The current PHP memory limit is below the recommended value of 512MB.
{
    "system": {
        "one-click-instance": true,
        "one-click-instance.user-limit": 100,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "check_data_directory_permissions": false,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "overwritehost": "nextcloud.oneaspenavenue.com",
        "overwriteprotocol": "https",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "nextcloud.oneaspenavenue.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "IE",
        "dbtype": "pgsql",
        "version": "31.0.8.1",
        "overwrite.cli.url": "https:\/\/nextcloud.oneaspenavenue.com\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "updatechecker": false,
        "loglevel": 2,
        "log_type": "file",
        "logfile": "\/var\/www\/html\/data\/nextcloud.log",
        "log_rotate_size": 10485760,
        "log.condition": {
            "apps": [
                "admin_audit"
            ]
        },
        "preview_max_x": 2048,
        "preview_max_y": 2048,
        "jpeg_quality": 60,
        "enabledPreviewProviders": {
            "1": "OC\\Preview\\Image",
            "2": "OC\\Preview\\MarkDown",
            "3": "OC\\Preview\\MP3",
            "4": "OC\\Preview\\TXT",
            "5": "OC\\Preview\\OpenDocument",
            "6": "OC\\Preview\\Movie",
            "7": "OC\\Preview\\Krita",
            "0": "OC\\Preview\\Imaginary",
            "23": "OC\\Preview\\ImaginaryPDF"
        },
        "enable_previews": true,
        "upgrade.disable-web": true,
        "mail_smtpmode": "smtp",
        "trashbin_retention_obligation": "auto, 30",
        "versions_retention_obligation": "auto, 30",
        "activity_expire_days": 30,
        "simpleSignUpLink.shown": false,
        "share_folder": "\/Shared",
        "one-click-instance.link": "https:\/\/nextcloud.com\/all-in-one\/",
        "upgrade.cli-upgrade-link": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/2726",
        "updatedirectory": "\/nc-updater",
        "maintenance_window_start": 100,
        "allow_local_remote_servers": true,
        "davstorage.request_timeout": 3600,
        "documentation_url.server_logs": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/5425",
        "htaccess.RewriteBase": "\/",
        "dbpersistent": false,
        "auth.bruteforce.protection.enabled": true,
        "ratelimit.protection.enabled": true,
        "files_external_allow_create_new_local": false,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "preview_imaginary_url": "***REMOVED SENSITIVE VALUE***",
        "preview_imaginary_key": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "users",
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": true,
        "mail_smtpsecure": "ssl",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}

Apps

The output of occ app:list (if possible).

sudo -u www-data php /var/www/html/occ app:list

Warning: Failed to set memory limit to 0 bytes (Current memory usage is 2097152 bytes) in Unknown on line 0
The current PHP memory limit is below the recommended value of 512MB.
Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - bbb: 2.8.0
  - bruteforcesettings: 4.0.0
  - calendar: 5.5.4
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.3.1
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.2
  - drawio: 3.1.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_antivirus: 6.0.4
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud-aio: 0.8.0
  - nextcloud_announcements: 3.0.0
  - notes: 4.12.3
  - notifications: 4.0.0
  - notify_push: 1.2.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - richdocuments: 8.7.4
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - socialsharing_bluesky: 3.3.0
  - socialsharing_whatsapp: 3.3.0
  - spreed: 21.1.4
  - support: 3.0.0
  - survey_client: 3.0.0
  - suspicious_login: 9.0.1
  - systemtags: 1.21.1
  - tasks: 0.16.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - updatenotification: 1.21.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - app_api: 5.0.2 (installed 5.0.2)
  - encryption: 2.19.0
  - user_ldap: 1.22.0

Tips for increasing the likelihood of a response

• Use the preformatted text formatting option in the editor for all log entries and configuration output.
• If screenshots are useful, feel free to include them.
  • If possible, also include key error output in text form so it can be searched for.
• Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.

Hi, please read through GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

I have. If it was helpful I would not have created the ticket.

If a review of the amount of tickets with the same question was done you would see that the standard answer offers no assistance.

Then please read again and check point 11 in the list

Please close.

Will keep hunting for answers else.

suggested ’solution’ not valid.

So you did not see this?

• If you get an error in Nextcloud’s admin overview that the HSTS header is not set correctly, you might need to enable it in Cloudflare manually.