Nextcloud fedora 38 install many problems remain without answer… HSTS

After installing nextcloud on fedora 38, I get this message:

The HTTP header “Strict-Transport-Security” is not set to at least “15552000” seconds. For enhanced security, it is recommended to activate HSTS as indicated in the security elements .

So I followed the security recommendation (when the link works…) : I added this in /etc/httpd/conf.d/virtualhost.conf file:

<VirtualHost :443>
ServerName nextcloud

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

And… nothing has changed!

Do you have a proxy (Cloudflare counts) at all in front or is this VirtualHost entry the sole termination point for HTTPS connections?

I assume you restarted Apache after making the above change?

I don’t understand what you mean with “Do you have a proxy (Cloudflare counts) …”

And, of course, I restart apache when I add a config!

Thak you.


Hi @frpatte,

What @jtr is asking is do you have a proxy service setup in front of your Apache server, like Nginx, Caddy, Cloudflare, etc? For instance if you are using the Nextcloud AIO setup, it automatically sets up a proxy in front of apache, you would then need to change the HSTS on the proxy.

Also have you checked your VirtualHost file? To make sure HSTS is set to 15552000?

Also browsers are lazy, they cache a lot of information, instead of re downloading it, so changes you make might not show in the browser for a few hours/days. Try clearing your cache.


No, I haven’t any proxy… nginx if off (masked) and my VirtualHost.conf is:

<VirtualHost :443>
ServerName nextcloud

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

and module mod_header is loaded:
httpd -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)

headers_module (shared)

Of course, I restarted httpd …


Morning @frpatte

Is the headers module installed and turned on?

Here is a guide:


Of course! I sent the result of httpd -M | grep headers

headers_module (shared)