Security warning with recommendation to set Strict Transport Security


I have received the security warning that I should set the

Enable HTTP Strict Transport Security setting inside Apache VirtualHost in file 443.

This is what the warning looks like:

• The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For more security, enabling HSTS is recommended as explained in the Security Notes.

This is how the solution should look like:

This can be achieved by setting the following settings within the Apache VirtualHost file:

<VirtualHost *:443>


Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

My question:

Where can I find the Apache VirtualHost files to be able to change them.

How do I have to proceed to do this?

Thanks for your response

Hi @gs41

to help you here we would need some more information on your setup:

  • how did you install NC (Docker? Snap? manual? RPi?)
  • which webserver do you use?
  • what version of NC are you using?


Thank you for your response.

Enclosed is the additional information:

  1. Manual installation
  3. nextcloud 21.0.1

I hope this makes the solution easier

Hi @gs41

What do you mean with "manual installation? Did you install everything manually incl. webserver, PHP etc… on one of their Linux cloud servers or do you use one of their webhosting plans?

HSTS has to be configured in the webserver config. For example in apache it can be achieved by adding the following line to the virtual host config:

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

If you use one of their webhosting plans, you probably have to activate it somwhere in the admin panel or add it to the .htaccess file.