Support intro
Sorry to hear you’re facing problems. 
The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.
If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.
Getting help
In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.
Before clicking submit: Please check if your query is already addressed via the following resources:
- Official documentation (searchable and regularly updated)
- How to topics and FAQs
- Forum search
(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).
Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. 
The Basics
- Nextcloud Server version (e.g., 29.x.x):
30.0.6-apache (docker image)
- Operating system and version (e.g., Ubuntu 24.04):
Debian GNU/Linux 12 (bookworm)
- Web server and version (e.g, Apache 2.4.25):
Apache/2.4.62 (Debian)
- Reverse proxy and version _(e.g. nginx 1.27.2)
nginx/1.18.0 (Ubuntu)
- PHP version (e.g, 8.3):
8.2.27
- Is this the first time you’ve seen this error? (Yes / No):
No - it is a warning I have previously ignored
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
Running in a Kubernetes cluster with a reverse proxy/loadbalanser in frontTLS is terminated in the nginx reverse proxy
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
No
Summary of the issue you are facing:
In the Admin Overview → Security & setup warnings I have the following message:
Some headers are not set correctly on your instance - The 'Strict-Transport-Security' HTTP header is not set (should be at least '15552000' seconds). For enhanced security, it is recommended to enable HSTS. For more details see the documentation
Since the server is running behind a reverse proxy with TLS termination, the protocol to the Nextcloud server is http.
From my understanding the ‘Strict-Transport-Security’ header must be set on the proxy and forwarded to the Nextcloud server.
I have investigated and tried different things, but the message will not go away.
Steps to replicate it (hint: details matter!):
The warning is permanently displayed
Log entries
I do not attach any logs at this stage, but if it is of value, I will of course provide that.
Web server / Reverse Proxy
Config in nginx external reverse proxy (replaced my real domain name with example.com)
server {
listen 443 ssl;
server_name nc.example.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# HSTS Header (Force HTTPS)
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass http://nextcloud-k8s;
}
}
Configuration
Nextcloud
The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):
{
"system": {
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"nc.asgards.no",
"192.168.1.21"
],
"overwrite.cli.url": "http:\/\/localhost",
"overwriteprotocol": "https",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "nc.asgards.no",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "30.0.6.2",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"loglevel": 2,
"maintenance": false,
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"maintenance_window_start": 1,
"default_phone_region": "NO"
}
}
Apps
The output of occ app:list (if possible).
Enabled:
- activity: 3.0.0
- app_api: 4.0.6
- bruteforcesettings: 3.0.0
- circles: 30.0.0
- cloud_federation_api: 1.13.0
- comments: 1.20.1
- contactsinteraction: 1.11.0
- dashboard: 7.10.0
- dav: 1.31.1
- federatedfilesharing: 1.20.0
- federation: 1.20.0
- files: 2.2.0
- files_downloadlimit: 3.0.0
- files_pdfviewer: 3.0.0
- files_reminders: 1.3.0
- files_sharing: 1.22.0
- files_trashbin: 1.20.1
- files_versions: 1.23.0
- firstrunwizard: 3.0.0
- logreader: 3.0.0
- lookup_server_connector: 1.18.0
- nextcloud_announcements: 2.0.0
- notifications: 3.0.0
- oauth2: 1.18.1
- password_policy: 2.0.0
- photos: 3.0.2
- privacy: 2.0.0
- provisioning_api: 1.20.0
- recommendations: 3.0.0
- related_resources: 1.5.0
- serverinfo: 2.0.0
- settings: 1.13.0
- sharebymail: 1.20.0
- support: 2.0.0
- survey_client: 2.0.0
- systemtags: 1.20.0
- text: 4.1.0
- theming: 2.6.0
- twofactor_backupcodes: 1.19.0
- updatenotification: 1.20.0
- user_ldap: 1.21.0
- user_status: 1.10.0
- viewer: 3.0.0
- weather_status: 1.10.0
- webhook_listeners: 1.1.0-dev
- workflowengine: 2.12.0
This is certainly not a very serious topic, but if someone have input/guiding how to solve this, it would be much appreciated.
