Snap vs. "The Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds." with pirates and explosions

Hi! First of all, I theoretically know how to fix this, but snap doesn’t allow this approach. So:

I Installed Nextcloud 22.2.0 on my ubuntu server using snap. And I see this:

There are some warnings regarding your setup.

    The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

The tip says (and I quote):

This can be achieved by setting the following settings within the Apache VirtualHost file:

But I don’t have access to that file because of snap and/or design choice.

Thus administrators are encouraged to set the HTTP Strict Transport Security header

If I don’t have access, I’m not the administrator. So shouldn’t that be a default setting? Is there a way for me to fix this?

Does the title sound interesting if you read it out loud? Is it a good summary?

I’d say “snap vs. ‘The Strict-Transport-Security’ HTTP header is not set to at least ‘15552000’ seconds.’” doesn’t sound interesting. Hmm. I’ll add “with pirates and explosions” to the title. That’s better.

Hi @fredvomjupiter

Do you use a self signed certificate? If yes, then this is normal and you can simply ignore the message. If you are using a domain name and your Nextcloud is exposed to the internet, you can either use the following command to obtain Let’s Encrypt certificates for the snap package…

https://github.com/nextcloud-snap/nextcloud-snap/wiki/Enabling-HTTPS-(SSL,-TLS)

…or you can put the snap behind a reverse proxy and handle your certificates there:

https://github.com/nextcloud-snap/nextcloud-snap/wiki/Putting-the-snap-behind-a-reverse-proxy

1 Like

Perfect, thank you! Yes, it is a self-signed certificate as the server is not exposed to the internet. But it’s good to know there are other solutions. I’ll add a bookmark here.

I actually considered re-installing Nextcloud via apt to make this warning go away. So maybe it would be a nice default setting.

Again, thank you @bb77!

This topic has been solved

Only reply here if:

  • You have additional details

  • The solution doesn’t work for you

I’m gonna break this rule to say thanks. Sue me.

1 Like