"Strict-Transport-Security" HTTP-Header // not able to activate


i am not able to activate the “Strict-Transport-Security” HTTP-Header (get always the error message in the admin page.

Der “Strict-Transport-Security” HTTP-Header ist nicht auf mindestens “15552000” Sekunden eingestellt. Für mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in unseren Sicherheitshinweisen erläutert ist.

… and i also have activated redirecting from http to https but it seems not to work correctly.

default-ssl.conf: https://www.dropbox.com/s/snqdcwg2w9lv758/IMG_20171116_113546.jpg?dl=0
nextcloud.conf: https://www.dropbox.com/s/iytd98aw8u6g2oy/IMG_20171116_113652.jpg?dl=0
HSTS Test: https://www.dropbox.com/s/nxzdwg39vk7l0sr/IMG_20171116_113607.jpg?dl=0

What’s wrong with my config? Thank you!

No ideas? :confused:

Did you activate headers module on apache 2 ?

a2enmod headers

Then restart apache

You also have to add those lines inside your ssl.conf file

<IfModule mod_headers.c>
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

Thank you for your answer but it won’t work unfortunately.

Is everything ok with these lines? https://www.dropbox.com/s/snqdcwg2w9lv758/IMG_20171116_113546.jpg?dl=0

I also tried it with “add” instead of “set”.

Maybe it will do the trick but i’m not sure.
Put it all on the same line from « header » to « preload » ».

Save and restart apache2

Ok, thank you. It is working now, crazy! :face_with_raised_eyebrow: