in admin panel I see a security warning:
Der "Strict-Transport-Security" HTTP-Header ist nicht auf mindestens "15768000" Sekunden eingestellt. Um die Sicherheit zu erhöhen, empehlen wir das Aktivieren von HSTS, wie es in den Sicherheitshinweisen erläutert ist.
Usually I added this code:
Header set Strict-Transport-Security "max-age=15768000" env=HTTPS into the /var/www/owncloud/.htaccess but this isn’t working.
Any idea to get this fixed?
System: nginx/1.6.2 & PHP 5.6.22 & Nc 9.0.55
NGINX does not support .htaccess files.
To use HSTS with NGINX, you should add the following line to your server block:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
You can also have a look at the documentation for config files to use with NGINX.
I used the config you are referring to. But it wasn’t part of it. Thank you so much for this hint. Issue solved.
I have the same problem after a new nextcloud 10.0.1 installation.
I paste the following code into the nextcloud .htacces file.
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
But it doesn’t work.
After that, I paste the code into the main www .htacces file. It doesn’t work too.
I use a apache 2.4 server and is restarted.
did you install and enable mod_headers?
yes it is installed and enable.
apache is multiple times restarted.
I had the same issue, for me this helped: http://www.synology-forum.de/showthread.html?76163-DSM-6-und-HSTS/page2&p=638567&viewfull=1#post638567
This is a solution for Synology DIscstations but I think it also works on other environments in some way.
For non-German speakers, here is a trnslation:
- Log in at you DS via SSH
- Get root access “sudo su -” (without " ") using the admin password
- Create a new file in /etc/nginx/conf.d named “http.*.conf” (replace the * with something else), if you only want “hsts” the name could be “http.hsts.conf” (e.g. command “nano /etc/nginx/conf.d/http.hsts.conf”)
- Add ‘add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;’ (without ')
- Save and close the file
- Reload Nginx Config. “nginx -s reload”
Please don’t mix topics! The OP was using an nginx webserver and his problem was solved. Don’t come up with a different setup here, open a new topic for that. Closing this thread.