hallo everybody… and happy 2017.
This is my first question about nextcloud.
I just installed v11 through CPanel/Softaculous but I have a little problem.
I get this warning when I connect through https in the admin panel:
The “Strict-Transport-Security” HTTP header is not configured to at least “15552000” seconds. For enhanced security we recommend enabling HSTS as described in our security tips.
I have apache with mod_headers.c enabled and I have added this line:
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
at the end of .htaccess located in www.mysite[dot]com/nextcloud (that is the .htaccess created by nextcloud)
If I request www[dot]mysite[dot]com/nextcloud/index[dot]php page the header is not influenced by this directive.
BUT if I request www[dot]mysite[dot]com/nextcloud/test[dot]html (a file I created for testing purposes) the header contains the modification.
Where is the problem?
Can you help me?
P.S.
I checked the header with firebugs and also with the command “curl -I https://www[dot]mysite[dot]com/nextcloud”
Hallo, and sorry for my late answer (a broken leg gave me some problems).
I don’t have access to apache settings, but they should be OK and .htaccess works (I.E. I have tried the option Indexes).
and I added these line:
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
at the end of /public_html/nextcloud/.htaccess
not nested in any conditional statement to be sure it is used.
The file …/nextcloud/.htaccess has been created by Nextcloud but if I make any change in that file it seems to be ignored (even if I write below the line #### DO NOT CHANGE ANYTHING ABOVE THIS LINE #### )
In every other folder, the .htaccess file works fine and I can set whatever variable.
I have not access to apache configuration, but I think yes, AllowOverride All is set.
For example, I can set options like INDEXES and I can even set variables for the header, for whatever directory.
I can create any new folder and .htaccess works perfectly in that new folder… everywhere but the folder where I installed Nexcloud.
I created a test folder, with the following .htaccess:
Headers variable and Indexes work perfectly (files are not shown).
I know this is an old post but for future reference, instead of adding the line to .htaccess according to this article in Nextcloud documentation you should add it to your Apache virtual host like so:
Which “Virtual host file” ?
I tried to add this in /etc/apache2/sites-enabled/default-ssl.conf
And the mod_headers is enabled.
But I still get the warning in the Admin page.
Thanks for your reply.
So, I installed nextcloud on a fresh install of Ununtu 16.04.
It is dedicated to nextcloud with only 1 “Virtual Host”
I am redirecting the web root to the nextcloud folder and it is secure/encrypted with let’s encrypt.
I tried to add these lines in default-ssl.conf first and then tried nextcloud.conf.
I even re-booted the server everytime and I still get the “Strict-Transport-Security” warning.
I finally got it. It was the nextcloud.conf that I needed to modify. But in the instructions it says to add:
<VirtualHost *:443>
ServerName cloud.nextcloud.com
< IfModule mod_headers.c>
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
< /IfModule>
< /VirtualHost>
And this did not work.
What worked was to paste it without the VirtualHost tag like so:
I have the following error on my nextcloud 14 instalation and i’m using also let’s encrypt :
There are some warnings regarding your setup.
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips .
Please verify that this header needs to be set inside the https/443 vhost.
Also try to remove the condition. Syntax looks good, but by this you can verify that the header is set correctly. Apache would throw an error on start-up if something is wrong.
Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Referrer-Policy "strict-origin"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
If I am not mistaken, the second value set to the same header will overwrite the first. You can use Header always add to add an additional value, but not sure if this is handled (as you want it). I would decide if you want the stricter rule or the less strict (the second in your cases) and only apply the one.
Your current case might be also the reason for errors, not sure.
Everything can be tested via above curl command.
So I would assume you replace:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Referrer-Policy "strict-origin"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Prevent MIME based attacks
Header set X-Content-Type-Options "nosniff"
</IfModule>
by
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "strict-origin"
# Prevent MIME based attacks
Header set X-Content-Type-Options "nosniff"
And recheck the received headers via: curl -D- https://your.domain.org/nextcloud
.