Hi,
I am absolutely not familiar with regards to the Strict Transport Security topic.
I used just until now the recommendation out of the documentation in my .htaccess, with the preload though. That worked so far I guess!?!
<VirtualHost *:443> ServerName cloud.nextcloud.com <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule> </VirtualHost>
Since I am using Plesk and I was tired to update the .htaccess after every updated I managed to add the header to Plesk and hope that works as well. At least I do not see the hint within the nextcloud settings.
Now I stumbled over the warning in the nextcloud documentation:
Warning
We recommend the additional setting ; preload to be added to that header. Then the domain will be added to a hardcoded list that is shipped with all major browsers and enforce HTTPS upon those domains. See the HSTS preload website for more information. Due to the policy of this list you need to add it to the above example for yourself once you are sure that this is what you want. Removing the domain from this list could take some months until it reaches all installed browsers.
To get preloaded to that hardcoded list I have to set in accordance to HSTS Preload the header to at least 1 year but for now I followed the nextcloud recommendation, except the preload switch and I do not even know why.
Now to my questions.
Do I want to be on that list? What do I gain for my nextcloud installation? Does it make sense for a small nextcloud setup that has just four accounts? What are the pros or cons to be on that list?
Thanks in advance.