"Strict-Transport-Security" Warning not going away even after updating webserver.conf file

Nextcloud version (eg, 20.0.5): 27.1.4.
Operating system and version (eg, Ubuntu 20.04): Fedora 39
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.58
PHP version (eg, 7.4): PHP 8.2.12

I’ve followed the instructions in setting the “Strict-Transport-Security” HTTP header to 15552000 seconds in the nextcloud.conf file. Upon restarting httpd (Apache) and then rebooting the system, I continue to get the warning, is there a step I missed out on?

Instructions used: Hardening and security guidance — Nextcloud latest Administration Manual latest documentation

First time I’ve seen this issue

Output of my Nextcloud Security and configuration warnings

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips 

Output of my config.php file in /path/to/nextcloud :

IncludeOptional conf.d/*.conf
<VirtualHost *:80>
DocumentRoot /var/www/html/nextcloud
ServerName server.ip
 <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>
RewriteEngine on
RewriteCond %{SERVER_NAME} = server.ip
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>


Hi @chaeyoung

You have to add the <IfModule> section to your HTTPS enabled Virtual Host / HTTPS config file:

<VirtualHost *:443> 
DocumentRoot /var/www/html/nextcloud
ServerName server.ip
 <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

</VirtualHost>
1 Like

Yeah that’s what I did. How is your answer any different to my conf file??

You’ve added it to the HTTP VirtualHost section, starting with <VirtualHost *:80>, that redirects to HTTPS. So somewhere, either in a separate configuration file or in the same file, there must be a HTTPS VirtualHost section, starting with <VirtualHost *:443>, to which you need to add it.

1 Like

Thank you for the clarification, I found the other file, it works now.

You really helped out.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.