Strict-Transport-Security

I had a warning in the admin, The following message:
The “Strict-Transport-Security” HTTP header is not configured to at least “15552000” seconds.

I followed the guide on https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html#enable-hsts-label

I copied en paste the following code in the .htacces file:
<VirtualHost *:443>
ServerName cloud.nextcloud.com

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

I changed the ServerName to my domain.
When I go to my domain, I get a 500 Internal Server Error
I removed the code, but I still can’t reach my domain. How can I fix this and the above warning?

Check your server’s error.log why you get error 500.

The server error says: <VirtualHost not allowed here.

I can reach my domain again. But how can I fix the warning, mentioned above? Do I have the wrong .htacces file, because there are more then one?

This part must go into your apache-config. You can’t do this in a .htaccess.

Where can I find this file?

/etc/apache2/sites-avialable/yournextcloud.conf

Restart apache after modifying the file

Please also make sure to add this in the HTTPS section of your config.
*:80 -> HTTP | *:443 -> HTTPS

I can’t find the “apache”.conf file. Can I find that file in my cPanel area?

I don’t know cPanel, you might want to check with their community if you can add manually stuff to a vhost.

Can’t it be done, somehow, in a .htacces file?

If your server configuration allows such changes, it is possible:

1 Like

Yes, thank you very much! The warning is gone!

I updated NC yesterday, but the changes in the .htacces file are gone. Does this happen al the time when I update NC?