Set HSTS max-age=15552000 automatically by cronjob

vatolin · September 10, 2020, 8:51pm

At every NC version update or upgrade NC security and setup warnings alerts a non properly setting of HSTS. After changing .htaccess

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

everything is fine. But why this setting is not by default? And how can I setup my installation to automatically set the HSTS max-age to the appropriate value?

eehmke · September 11, 2020, 12:06pm

You can also set the header in your apache vhost config, or in /etc/apache2/conf-available/security.conf.
Or you enable the HSTS Header app.

Cryx · September 11, 2020, 12:40pm

The HSTS Header is not longer listed in the Appstore…

vatolin · September 11, 2020, 7:12pm

At Hetzner Webhosting I do not have write permission to alter that file. I wrote an enquiry to their support desk. Normally they respond quick and competently.

eehmke · September 11, 2020, 8:40pm

That’s why I would never run a nextcloud on a webhosting. From time to time, more often than not, you need full root access. You get get a vserver with root access for less than 10 € per month. That’s two cans of good beer in a restaurant. As a result, you have full access to your system and can do what you want, and not wait for the support desk. Agreed, now you must also care for security and have a working firewall.

KarlF12 · September 12, 2020, 3:56am

Because this setting tells your browser to refuse to connect to this site without HTTPS for the next 180 days. That would cause you a headache if your HTTPS wasn’t in order. The setting is supposed to be activated after you set up and test your HTTPS.

KarlF12 · September 13, 2020, 12:58pm

I prefer to take it a step further and keep my data at home. You can buy a good used Dell PowerEdge for half the cost of a good laptop. Drop VMware ESXi on it, run a pfSense VM, plug in a USB hard drive connected to another VM for backups, and then you’re all set to run Nextcloud and whatever else strikes your fancy.

I’ve found that pfSense is a good companion for Nextcloud because it provides several useful functions beyond just being a solid firewall. You can run DDNS and split-horizon DNS on it, among other things.

vatolin · September 14, 2020, 8:39pm

This is not meant to be an advertisement but should be mentioned: Hetzner has confirmed within less than 24 hours, they have set my vHost settings accordingly to the HSTS requirements.

grafsimeon · January 30, 2022, 10:21am

any chance this app is broken? On my instance it does not resolve the hsts warning… I read the github page and tried the thing with the config file but it did not work as well.
Could you give me some advice on this?