Strict-Transport-Security error.....I'm lost

Hello all,

I am at my wits end trying to fix this error however after spending the whole weekend on it, I am no further along.

I have NextCloud running in a Docker on my Synology DS916+. Everything is running great, I can access it remotely and have a Letsencrypt certificate installed.

My issue however is on the Overview page, I get the following error;

“The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described…”

I have read every page relating to this error I can find along with the official documentation that NextCloud provides, but nothing seems to work. A number of pages make reference to amending the htaccess file in Apache, however I can not locate this, as my system would appear to be using Nginx.

Can anyone please point me in the right direction before I lose it. :grin:



Thank you for replying so quickly, however I do not have Apache on my system, it would appear only Nginx, there is no Apache folder under /etc.

I have tried running the first command to active the headers however I get;
“-ash: LoadModue: command not found”

Apologies, Linux is very new to me.

Search similar for nginx.


I have looked on numerous sites, this being one of them;

…however still no luck.

Under /etc/apache I have a “sites-enabled” folder but not a “sites-available” folder.

In the “sites-enabled” folder however, there is a “synowstransfer.conf” however inside that is;

Lastly, I have tried the command; curl -I and I get the following (the last line however does show the Strict-Transport-Security max age as what it should be?

In the /etc/Nginx folder there is a “Nginx.conf” file,inside that is the following;

However I can not see the server block to add;
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”;

grep -ir Strict-Transport-Security /etc/nginx/* might be helpful.


Thank you for replying, you all clearly know more than me regarding this stuff. :grinning:

I tried your suggestion and received the following;

Coincidentally, that’s the same number of services I have running via reverse-proxy;

that could be a hint that the “max-age” is defined somewhere else. :wink:

nevertheless. use your favorite editor to edit /etc/nginx/app.d/server.ReverseProxy.conf and restart nginx.


Apologies for the late reply, I ended up falling asleep trying to fix this. :grin:

Thought I would quickly try again before work.

I opened up the conf file you suggested and can confirm that all eight reverse proxy services are listed, including NextCloud. Unfortunately however, they all already have the above Strict Transport Security entries;

Thank you again for taking the time to reply and help.