"Strict-Transport-Security" HTTP-Header // not able to activate

Django3 · November 16, 2017, 10:57am

Hello,

i am not able to activate the “Strict-Transport-Security” HTTP-Header (get always the error message in the admin page.

Der “Strict-Transport-Security” HTTP-Header ist nicht auf mindestens “15552000” Sekunden eingestellt. Für mehr Sicherheit wird das Aktivieren von HSTS empfohlen, wie es in unseren Sicherheitshinweisen erläutert ist.

… and i also have activated redirecting from http to https but it seems not to work correctly.

default-ssl.conf: Dropbox - File Deleted - Simplify your life
nextcloud.conf: Dropbox - File Deleted - Simplify your life
HSTS Test: https://www.dropbox.com/s/nxzdwg39vk7l0sr/IMG_20171116_113607.jpg?dl=0

What’s wrong with my config? Thank you!

Django3 · November 18, 2017, 2:11pm

No ideas?

Nemskiller · November 18, 2017, 2:22pm

Did you activate headers module on apache 2 ?

a2enmod headers

Then restart apache

You also have to add those lines inside your ssl.conf file

<IfModule mod_headers.c>
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

Django3 · November 21, 2017, 2:01pm

Thank you for your answer but it won’t work unfortunately.

Is everything ok with these lines? https://www.dropbox.com/s/snqdcwg2w9lv758/IMG_20171116_113546.jpg?dl=0

I also tried it with “add” instead of “set”.

Nemskiller · November 21, 2017, 4:30pm

Maybe it will do the trick but i’m not sure.
Put it all on the same line from « header » to « preload » ».

Save and restart apache2

Django3 · November 22, 2017, 8:28am

Ok, thank you. It is working now, crazy!