The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS

When I run “Security & setup warnings” I get this message:

The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS

Where do I add this line?
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

Nextcloud v17.0.2

Please use the documentation and the search function of the forum.
It has already answered a lot of times.
Good search

https://docs.nextcloud.com/server/17/admin_manual/installation/harden_server.html#enable-http-strict-transport-security

or

https://docs.nextcloud.com/server/17/admin_manual/installation/harden_server.html#enable-http-strict-transport-security

You can get a good example configuration here:

https://ssl-config.mozilla.org/

1 Like

The documentation says:
“can be achieved by setting the following settings within the Apache VirtualHost file

Where is the file?

Do you use Apache or Nginx as a webserver of your Nextcloud instance ?

https://docs.nextcloud.com/server/17/admin_manual/installation/source_installation.html#apache-web-server-configuration

Do you run your own server actually or Nextcloud on a shared hosting? In the latter case you cannot add the required setting yourself, but the hoster would need to.

If HSTS can be enabled on directory bases, it could also be added to .htaccess, never thought about that :thinking:. Ah it always is valid for the whole domain. So nothing for shared hostings on a per-user basis as long as there is a shared domain available as well which shall not get HSTS.

I am at 1und1 shared hosting
Can you pls explain HowTo solve this.

Stop using 1&1 this company is total garbage.
Shared Hosting means you don’t have the hand on your server and you share it with other fellows… you can’t activate HSTS correctly most of the time.
You better find a provider for a VPS or dedicated server or build your own server.

Shared Hosting is really a bad decision for a NextCloud server because of lack of power, management, and confidentiality

Basically, if possible, adding the following to a .htaccess in the webroot of your shared hosting dir would do it:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

If Nextcloud is placed right into your webroot, you can add it to the end of Nextclouds .htaccess as well, but it might lead to integrity check warnings and might be lost on updates and when doing occ maintenance:update:htaccess.

However depending on how the shared hosting is organised, if there is a proxy which forwards users subdomains to their webroot, 1&1 might internally remove this header to not have HSTS enabled for their domains.

You can test it e.g. via curl: curl -IL you.domain.org
This prints all headers received by the client.

2 Likes

You know why this question keeps being asked over and over again? Because the answer isn’t clear. Everyone keeps copying and pasting the same answer and not answering the question, or wants to waste time with arrogant remarks like “Why don’t you know this stuff by now”?

If you don’t want to help, then don’t chime in.

The issue is that every answer keeps saying add it to your “virtualhost” file.
Well, I don’t have a file named “virtualhost”. Is it called something else?
Am I supposed to create this file?
If so, in which directory?

I’ve tried creating it. Didn’t work. I’ve tried adding to other .conf files as directed…not the right answer still showing the alert.

So it keeps being asked because apparently the answers are not clear or working for everyone.

2 Likes

in ubuntu, apache2 stores conf files in /etc/apache2/sites-enabled/

identify your conf and add before :

#nextcloud
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains”

Hi,
I am getting the exact smae issue and I have followed the manual example by adding

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

to my default vhosts ssl conf file in /etc/apaches/vhosts.d
AND
I still get the same issue. I even tried adding the line indicated above to the .htaccess file no improvement.

@John_Critchley you may post your apache vhost config here. (or the ssl part of it without sensitive data).

it’s difficult to say anything without this.

Sorry but the formatting of the quoted file didn’t correctly work, but that is the file content

Any help - much appreciated

Regards

John

SSL Virtual Host Context

#<VirtualHost 192.168.0.2:443>
<VirtualHost *:443>

#  General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName REMOVED
ServerAdmin root@localhost
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log

    <IfModule mod_headers.c>
  		Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
	</IfModule>

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   OCSP Stapling:
#   Enable/Disable OCSP for this virtual host.
SSLUseStapling  on

#   You can use per vhost certificates if SNI is supported.
#SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined

SSLCertificateFile /etc/letsencrypt/live/REMOVED/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/REMOVED/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

1 Like

-> ``` (three back ticks, quotes or whatever you call it) will do. before and after. in a single line.
this formatting is called markdown. google knows more details.

did you try without <IfModule …> ? and did you try Header add ...

daniel isn’t using <IfModule …> in his config as well.

Hi,
Tried the suggestion and no improvement, not the end of the world. But thanks for trying.

Regards