"The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS" despite already done

Nextcloud version (eg, 20.0.5): 21.0.3
Operating system and version (eg, Ubuntu 20.04): Debian 10.10
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.38 (Debian)
PHP version (eg, 7.4): PHP 7.3.29-1~deb10u1

The issue you are facing:

When going to the “Overview” page as administrator, I get the error “The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS” despite already done in my Apache site configuration file for Nextcloud.

I have already looked on the forum and looked at other solutions, but no solution works for me.

Many thanks in advance, much appreciated!

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

  1. Login as admin
  2. Click on “Settings”
  3. Click on “Overview”

Here is a copy of my nextcloud.conf within my sites-available folder:

<VirtualHost *:80>
  ServerAdmin <deleted>
  ServerName 192.168.1.6
  Redirect permanent / https://192.168.1.6/
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin <deleted>
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>
  DocumentRoot "/var/www/html/nextcloud/"
  ServerName 192.168.1.6/nextcloud
    <Directory "/var/www/html/nextcloud/">
      Options MultiViews FollowSymlinks
      AllowOverride All
      Order allow,deny
      Allow from all
    </Directory>
  TransferLog /var/log/apache2/nextcloud_access.log
  ErrorLog /var/log/apache2/nextcloud_error.log
</VirtualHost>

Running apache2’s built-in config file checker:

root@octopussy:/etc/apache2/sites-available# /usr/sbin/apachectl configtest
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
root@octopussy:/etc/apache2/sites-available#

The output of your Nextcloud log in Admin > Logging:


Skip to main content
Skip to navigation of app
Level	App	Message		Time
Error	core	Doctrine\DBAL\Query\QueryException: More than 1000 expressions in a list are not allowed on Oracle.	
2021-07-30T17:57:31+0100
Error	core	Doctrine\DBAL\Query\QueryException: More than 1000 expressions in a list are not allowed on Oracle.	
2021-07-30T17:57:26+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:06+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:06+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:06+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:06+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:06+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:06+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:06+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:05+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:04+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100
Fatal	webdav	OCP\Encryption\Exceptions\GenericEncryptionException: Bad Signature	
2021-07-30T16:44:03+0100

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '<deleted>',
  'passwordsalt' => '<deleted>',
  'secret' => '<deleted>',
  'trusted_domains' => 
  array (
    0 => '192.168.1.6',
  ),
  'datadirectory' => '/media/cloud/sync/',
  'dbtype' => 'mysql',
  'version' => '21.0.3.1',
  'overwrite.cli.url' => 'https://192.168.1.6/nextcloud',
  'dbname' => 'nextclouddb',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '<deleted>',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => '<deleted>',
  'mail_domain' => '<deleted>',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.<deleted>.org',
  'mail_smtpname' => '<deleted>',
  'mail_smtppassword' => '<deleted>',
  'mail_smtpauthtype' => 'PLAIN',
  'trashbin_retention_obligation' => '0, auto',
  'versions_retention_obligation' => '0, auto',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'maintenance' => false,
  'updater.secret' => '<deleted>',
  'theme' => '',
  'loglevel' => 2,
  'encryption.legacy_format_support' => false,
  'encryption.key_storage_migrated' => false,
);

The output of your Apache/nginx/system log in /var/log/____:

error.log

[Fri Jul 30 16:24:57.190943 2021] [ssl:warn] [pid 706] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 30 16:24:57.191147 2021] [mpm_prefork:notice] [pid 706] AH00163: Apache/2.4.38 (Debian) OpenSSL/1.1.1d configured -- resuming normal operations
[Fri Jul 30 16:24:57.191156 2021] [core:notice] [pid 706] AH00094: Command line: '/usr/sbin/apache2'