NGINX: "Strict-Transport-Security" HTTP header is not configured to at least "15768000" seconds

Hej

in admin panel I see a security warning:

Der "Strict-Transport-Security" HTTP-Header ist nicht auf mindestens "15768000" Sekunden eingestellt. Um die Sicherheit zu erhöhen, empehlen wir das Aktivieren von HSTS, wie es in den Sicherheitshinweisen erläutert ist.

Usually I added this code: Header set Strict-Transport-Security "max-age=15768000" env=HTTPS into the /var/www/owncloud/.htaccess but this isn’t working.

Any idea to get this fixed?

System: nginx/1.6.2 & PHP 5.6.22 & Nc 9.0.55

Kind regards
//nephilim

NGINX does not support .htaccess files.

https://www.nginx.com/resources/wiki/start/topics/examples/likeapache-htaccess/

To use HSTS with NGINX, you should add the following line to your server block:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
You can also have a look at the documentation for config files to use with NGINX.

https://docs.nextcloud.org/server/9/admin_manual/installation/nginx_owncloud_9x.html

3 Likes

I used the config you are referring to. But it wasn’t part of it. Thank you so much for this hint. Issue solved. :slight_smile:

3 Likes

Hello,
I have the same problem after a new nextcloud 10.0.1 installation.

I paste the following code into the nextcloud .htacces file.
# Strict-Transport-Security:

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

But it doesn’t work.

After that, I paste the code into the main www .htacces file. It doesn’t work too.
I use a apache 2.4 server and is restarted.

Best regards,
Christoph

did you install and enable mod_headers?

yes it is installed and enable.
apache is multiple times restarted.

I had the same issue, for me this helped: http://www.synology-forum.de/showthread.html?76163-DSM-6-und-HSTS/page2&p=638567&viewfull=1#post638567

This is a solution for Synology DIscstations but I think it also works on other environments in some way.
For non-German speakers, here is a trnslation:

  1. Log in at you DS via SSH
  2. Get root access “sudo su -” (without " ") using the admin password
  3. Create a new file in /etc/nginx/conf.d named “http.*.conf” (replace the * with something else), if you only want “hsts” the name could be “http.hsts.conf” (e.g. command “nano /etc/nginx/conf.d/http.hsts.conf”)
  4. Add ‘add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;’ (without ')
  5. Save and close the file
  6. Reload Nginx Config. “nginx -s reload”

Please don’t mix topics! The OP was using an nginx webserver and his problem was solved. Don’t come up with a different setup here, open a new topic for that. Closing this thread.