“Strict-Transport-Security” HTTP header (HSTS) "Big Boo Boo"

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 21.0.3
Operating system and version (eg, Ubuntu 20.04): debian 10 (buster)
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.38
PHP version (eg, 7.4): 7.4 FPM

The issue you are facing:

Being the “genius” that I am… :roll_eyes: … I confused my “prod” server terminal with my “test” server terminal… and accidentally added:

<VirtualHost *:443>
  ServerName cloud.nextcloud.com
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

to my test server’s vhost… and the test server, of course, does not have an ssl certificate attached to it. Even though I have deleted the apache directive above… I still cannot access my test server install of nextcloud because it automatically goes to

https://test.mynextcloud.com which of course, does exist.

Is this the first time you’ve seen this error? (Y/N):

Unforced, dumb-dumb error, self-inflicted

that’s a browser “issue”. you have to delete this “entry” in your browser.

e.g.: https://www.google.com/search?q=firefox+remove+strict-transport-security

Thanks for hint… figured it out…:slight_smile:

Yep. Whole point of HSTS is so that once the browser opens an SSL, it won’t make subsequent unencrypted connections.