Set HSTS max-age=15552000 automatically by cronjob

At every NC version update or upgrade NC security and setup warnings alerts a non properly setting of HSTS. After changing .htaccess

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

everything is fine. But why this setting is not by default? And how can I setup my installation to automatically set the HSTS max-age to the appropriate value?

1 Like

You can also set the header in your apache vhost config, or in /etc/apache2/conf-available/security.conf.
Or you enable the HSTS Header app.

The HSTS Header is not longer listed in the Appstore…

At Hetzner Webhosting I do not have write permission to alter that file. I wrote an enquiry to their support desk. Normally they respond quick and competently.

That’s why I would never run a nextcloud on a webhosting. From time to time, more often than not, you need full root access. You get get a vserver with root access for less than 10 € per month. That’s two cans of good beer in a restaurant. As a result, you have full access to your system and can do what you want, and not wait for the support desk. Agreed, now you must also care for security and have a working firewall.

Because this setting tells your browser to refuse to connect to this site without HTTPS for the next 180 days. That would cause you a headache if your HTTPS wasn’t in order. The setting is supposed to be activated after you set up and test your HTTPS.

1 Like

I prefer to take it a step further and keep my data at home. You can buy a good used Dell PowerEdge for half the cost of a good laptop. Drop VMware ESXi on it, run a pfSense VM, plug in a USB hard drive connected to another VM for backups, and then you’re all set to run Nextcloud and whatever else strikes your fancy.

I’ve found that pfSense is a good companion for Nextcloud because it provides several useful functions beyond just being a solid firewall. You can run DDNS and split-horizon DNS on it, among other things.

This is not meant to be an advertisement but should be mentioned: Hetzner has confirmed within less than 24 hours, they have set my vHost settings accordingly to the HSTS requirements.

any chance this app is broken? On my instance it does not resolve the hsts warning… I read the github page and tried the thing with the config file but it did not work as well.
Could you give me some advice on this?