Strict-Transport-Security keep say its not implemented

Nextcloud version : 28.0.3
Operating system and version: Debian 11
Apache or nginx version: Apache 2.4.56
PHP version: 8.2

Issue:
Strict-Transport-Security don’t work

What is wrong on this config file?

  GNU nano 5.4                                             /etc/apache2/sites-available/nextcloud.conf
<VirtualHost *:80>

     ServerAdmin (my email)

     DocumentRoot /var/www/nextcloud/

     ServerName (my server)

     <IfModule mod_headers.c>
             Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
     </IfModule>

     Alias /nextcloud "/var/www/nextcloud/"

     <Directory /var/www/nextcloud/>

        Options +FollowSymlinks

        AllowOverride All

        Require all granted

          <IfModule mod_dav.c>

            Dav off

          </IfModule>

        SetEnv HOME /var/www/nextcloud

        SetEnv HTTP_HOME /var/www/nextcloud

     </Directory>



     ErrorLog ${APACHE_LOG_DIR}/error.log

     CustomLog ${APACHE_LOG_DIR}/access.log combined



</VirtualHost>


The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

Your config is HTTP only. For HSTS to work you need a working HTTPS config first, otherwise there is no point in adding the HSTS header.

2 Likes

So what’s the best way to switch to nginx from apache?

Why do you want to switch to NGINX?

NGINX does not automatically do HTTPS for you either, you need to configure it accordingly.

To be honest, I have no clue who to do without completely reset the server

How do you use your Nextcloud and where is it installed?

While I generally recommend using HTTPS everywhere, even on your local network and certainly if you’re making it accessible from the Internet, there are situations where you can leave it out, e.g. if you’re only using it locally on your PC for testing, in which case you also don’t need to set a HSTS header because, as I said, it only makes sense if you’re using HTTPS.

However, if you are going to use your Nextcloud productively, I would recommend that you first familiarise yourself with the basics, such as configuring HTTPS on Apache.

So yes, reinstalling is probably not a bad idea, maybe even several times. In fact, setting things up, breaking them, and then setting them up again until you figure out how to get them right is a good way to learn and gain experience.

Alternatively, you could take a look at Nextcloud AIO, which makes configuration and operation much simpler compared to a manual installation.