Hallo, and sorry for my late answer (a broken leg gave me some problems).
I don’t have access to apache settings, but they should be OK and .htaccess works (I.E. I have tried the option Indexes).
and I added these line:
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
at the end of /public_html/nextcloud/.htaccess
not nested in any conditional statement to be sure it is used.
The file …/nextcloud/.htaccess has been created by Nextcloud but if I make any change in that file it seems to be ignored (even if I write below the line #### DO NOT CHANGE ANYTHING ABOVE THIS LINE #### )
In every other folder, the .htaccess file works fine and I can set whatever variable.
I have not access to apache configuration, but I think yes, AllowOverride All is set.
For example, I can set options like INDEXES and I can even set variables for the header, for whatever directory.
I can create any new folder and .htaccess works perfectly in that new folder… everywhere but the folder where I installed Nexcloud.
I created a test folder, with the following .htaccess:
Headers variable and Indexes work perfectly (files are not shown).
I know this is an old post but for future reference, instead of adding the line to .htaccess according to this article in Nextcloud documentation you should add it to your Apache virtual host like so:
Which “Virtual host file” ?
I tried to add this in /etc/apache2/sites-enabled/default-ssl.conf
And the mod_headers is enabled.
But I still get the warning in the Admin page.
Thanks for your reply.
So, I installed nextcloud on a fresh install of Ununtu 16.04.
It is dedicated to nextcloud with only 1 “Virtual Host”
I am redirecting the web root to the nextcloud folder and it is secure/encrypted with let’s encrypt.
I tried to add these lines in default-ssl.conf first and then tried nextcloud.conf.
I even re-booted the server everytime and I still get the “Strict-Transport-Security” warning.
I finally got it. It was the nextcloud.conf that I needed to modify. But in the instructions it says to add:
<VirtualHost *:443>
ServerName cloud.nextcloud.com
< IfModule mod_headers.c>
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”
< /IfModule>
< /VirtualHost>
And this did not work.
What worked was to paste it without the VirtualHost tag like so:
I have the following error on my nextcloud 14 instalation and i’m using also let’s encrypt :
There are some warnings regarding your setup.
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips .
Please verify that this header needs to be set inside the https/443 vhost.
Also try to remove the condition. Syntax looks good, but by this you can verify that the header is set correctly. Apache would throw an error on start-up if something is wrong.
Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Referrer-Policy "strict-origin"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
If I am not mistaken, the second value set to the same header will overwrite the first. You can use Header always add to add an additional value, but not sure if this is handled (as you want it). I would decide if you want the stricter rule or the less strict (the second in your cases) and only apply the one.
Your current case might be also the reason for errors, not sure.
Everything can be tested via above curl command.
So I would assume you replace:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Referrer-Policy "strict-origin"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Prevent MIME based attacks
Header set X-Content-Type-Options "nosniff"
</IfModule>
by
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Referrer-Policy "no-referrer"
Header always set Referrer-Policy "strict-origin"
# Prevent MIME based attacks
Header set X-Content-Type-Options "nosniff"
And recheck the received headers via: curl -D- https://your.domain.org/nextcloud
Whoopsie, mixed up Header always set Referrer-Policy "strict-origin"
with Header always set X-Frame-Options "sameorigin"
referrer-policy: strict-origin
As you can see, the second header line overrides the first.
Please try to remove Header always set Referrer-Policy "strict-origin" line as well to be most strict.
Hmm strange, as my config line looks exactly the same… and where is the preload option coming from?..
Certbot places an own security config file that is loaded after you set your headers. See in your config at the bottom: Include /etc/letsencrypt/options-ssl-apache.conf
Please check this file, as perhaps it overrides your HSTS.
And again, for debugging please try as well to remove (or comment out) <IfModule mod_headers.c> and </IfModule> around the header section.