I have my nextcloud in a subdomain on an 1&1 Webspace folder.
Now I try to configure everything in proper way.
In the section “Security warnings” I found this:
Der "Strict-Transport-Security“-HTTP-Header ist nicht auf mindestens "15552000“ Sekunden eingestellt. Für mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in den Sicherheitshinweisen erläutert ist.
In the help file I found the following:
Enable HTTP Strict Transport Security
While redirecting all traffic to HTTPS is good, it may not completely prevent man-in-the-middle attacks. Thus administrators are encouraged to set the HTTP Strict Transport Security header, which instructs browsers to not allow any connection to the Nextcloud instance using HTTP, and it attempts to prevent site visitors from bypassing invalid certificate warnings.
This can be achieved by setting the following settings within the Apache VirtualHost file:
We recommend the additional setting ; preload to be added to that header. Then the domain will be added to an hardcoded list that is shipped with all major browsers and enforce HTTPS upon those domains. See the HSTS preload website for more information. Due to the policy of this list you need to add it to the above example for yourself once you are sure that this is what you want. Removing the domain from this list could take some months until it reaches all installed browsers.
This example configuration will make all subdomains only accessible via HTTPS. If you have subdomains not accessible via HTTPS, remove includeSubdomains; .
This requires the mod_headers extension in Apache.
I am totally new with nextcloud.
I do not understand what to do to solve this.
I think I have no right to influence the 1&1 server?
Would be very glad if someone could explain me what to do on this.
Thanks for your help and patience.
Sorry, I haven’t used a web hoster before, so I don’t know your options on the server. However, while this is a web server configuration issue, you might want to ask the 1and1 support about this. Nextcloud is actually only the messenger here, advising some security hardening here.
Der "Strict-Transport-Security“-HTTP-Header ist nicht auf mindestens "15552000“ Sekunden eingestellt. Für mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in den Sicherheitshinweisen erläutert ist.
Es wurde kein PHP-Memory-Cache konfiguriert. Zur Erhöhung der Leistungsfähigkeit kann ein Memory-Cache konfiguriert werden. Weitere Informationen finden Sie in der Dokumentation.
Der “Referrer-Policy” HTTP-Header ist nicht gesetzt auf “no-referrer”, “no-referrer-when-downgrade”, “strict-origin” oder “strict-origin-when-cross-origin”. Dadurch können Verweis-Informationen preisgegeben werden. Siehe die W3C-Empfehlung.
I do not understand the related articles ( I am completely new with this suff)
PLS help me to solve this.
Where (in which file) do I have to put What ( which entries)
HTTP Strict Transport Security (HSTS) is a security mechanism in which a website tells the browser that all future requests should be made over HTTPS. Using HSTS will force all future requests to the current domain name to use https:// URLs even if the user attempts to go to links using http:// URLs.
You can enable HSTS headers by adding the following in a .htaccess file in your app’s web root directory (public):
Using this header, any browser that accesses the site over HTTPS will not # be able to access the plain HTTP site for one year (31536000 seconds). One you begin using this, you should not stop using SSL on your site or # else your returning visitors will not be able to access your site at all.
Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
This is by default enabled on all cloudamo.com services from free to business packages.