The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS

Do you run your own server actually or Nextcloud on a shared hosting? In the latter case you cannot add the required setting yourself, but the hoster would need to.

If HSTS can be enabled on directory bases, it could also be added to .htaccess, never thought about that :thinking:. Ah it always is valid for the whole domain. So nothing for shared hostings on a per-user basis as long as there is a shared domain available as well which shall not get HSTS.

I am at 1und1 shared hosting
Can you pls explain HowTo solve this.

Stop using 1&1 this company is total garbage.
Shared Hosting means you don’t have the hand on your server and you share it with other fellows… you can’t activate HSTS correctly most of the time.
You better find a provider for a VPS or dedicated server or build your own server.

Shared Hosting is really a bad decision for a NextCloud server because of lack of power, management, and confidentiality

1 Like

Basically, if possible, adding the following to a .htaccess in the webroot of your shared hosting dir would do it:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

If Nextcloud is placed right into your webroot, you can add it to the end of Nextclouds .htaccess as well, but it might lead to integrity check warnings and might be lost on updates and when doing occ maintenance:update:htaccess.

However depending on how the shared hosting is organised, if there is a proxy which forwards users subdomains to their webroot, 1&1 might internally remove this header to not have HSTS enabled for their domains.

You can test it e.g. via curl: curl -IL you.domain.org
This prints all headers received by the client.

4 Likes

You know why this question keeps being asked over and over again? Because the answer isn’t clear. Everyone keeps copying and pasting the same answer and not answering the question, or wants to waste time with arrogant remarks like “Why don’t you know this stuff by now”?

If you don’t want to help, then don’t chime in.

The issue is that every answer keeps saying add it to your “virtualhost” file.
Well, I don’t have a file named “virtualhost”. Is it called something else?
Am I supposed to create this file?
If so, in which directory?

I’ve tried creating it. Didn’t work. I’ve tried adding to other .conf files as directed…not the right answer still showing the alert.

So it keeps being asked because apparently the answers are not clear or working for everyone.

2 Likes

in ubuntu, apache2 stores conf files in /etc/apache2/sites-enabled/

identify your conf and add before :

#nextcloud
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains”

Hi,
I am getting the exact smae issue and I have followed the manual example by adding

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

to my default vhosts ssl conf file in /etc/apaches/vhosts.d
AND
I still get the same issue. I even tried adding the line indicated above to the .htaccess file no improvement.

@John_Critchley you may post your apache vhost config here. (or the ssl part of it without sensitive data).

it’s difficult to say anything without this.

Sorry but the formatting of the quoted file didn’t correctly work, but that is the file content

Any help - much appreciated

Regards

John

SSL Virtual Host Context

#<VirtualHost 192.168.0.2:443>
<VirtualHost *:443>

#  General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName REMOVED
ServerAdmin root@localhost
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log

    <IfModule mod_headers.c>
  		Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
	</IfModule>

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   OCSP Stapling:
#   Enable/Disable OCSP for this virtual host.
SSLUseStapling  on

#   You can use per vhost certificates if SNI is supported.
#SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined

SSLCertificateFile /etc/letsencrypt/live/REMOVED/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/REMOVED/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

1 Like

→ ``` (three back ticks, quotes or whatever you call it) will do. before and after. in a single line.
this formatting is called markdown. google knows more details.

did you try without <IfModule …> ? and did you try Header add ...

daniel isn’t using <IfModule …> in his config as well.

Hi,
Tried the suggestion and no improvement, not the end of the world. But thanks for trying.

Regards

It actually worked

Hi

Did you solve it at IONOS webspace?
IF Yes PLS let me know How-To
THX

If you are running Nextcloud in a docker container on Unraid and get this error, navigate to appdata/nextcloud/nginx/site-confs. There is a file called default. If you open it in a text editor. Uncomment line 20 “add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;” always;” Save the file and restart Nextcloud. The error should go away.

4 Likes

thank you my fellow unraid friend… :slight_smile:

1 Like

This “Strict-Transport-Security” problem and the 4 infamous .well-known/carddav, caldav, webfinger, nodeinfo are bugging me for a year now. I dropped them after a while as thinking it’s not the end of the world. But today I finally found the solution. First is some background info: OS is Debian 10.12. And I have full root access to the OS which may not apply to everyone.

  • Short version: change AllowOverride None to AllowOverride All in the <Directory /var/www/> of the apache2.conf or httpd.conf so it will become something like this:
<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>

As of Debian 10 the apache2.conf is in the /etc/apache2/ directory. I don’t know about httpd.conf (ubutu?).
Sidenote: copy and paste AllowOverride All in all the nextcloud.conf, 000-default.conf, 000-default-le-ssl.conf and nextcloud-ssl.conf etc… don’t works at all.

  • Long version or the roundabout way it took me to fix 5 long-standing problems in my NextCloud by just a simple edit:
  1. First I was finding the carddav solution in the doc.nextcloud.com and came across this line:

For the first case the .htaccess file shipped with Nextcloud should do this work for you when you’re running Apache. You need to make sure that your Web server is using this file.

  1. A quick google about .htaccess not working I found this:

.htaccess needs to be enabled with AllowOverride
This is the first thing that should be verified. If the AllowOverride directive is set to None then this will disable all .htaccess files. In order to verify this, you must open the Apache configuration file (typically either called httpd.conf or apache.conf) and check that the AllowOverride directive is set to AllowOverride All. If you needed to make changes to your Apache config, remember to save the file and restart Apache. sudo service apache2 restart

Well, you can see that the solution for Strict-Transport-Security is dead simple, and yet it is obscured in another instruction for an unrelate problem. Which is why I have to agree with LincH here. Both the instructions and the answers are unclear, which make people asking the same thing over and over again. And for me it’s cost one year for an simple edit to fix the problem.

OK, a quick update: the fix in the previous post I forgot to mention that it need to insert this line: Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" on the top of the .htaccess. But if you update Nextcloud, it will reset and the warning comeback.
So I was looking for a more reliable fix and came to a shocking reveal: the setting for the Enable HTTP Strict Transport Security is incorrect order. I don’t know if it was caused by apache update or debian update or something else. But here’s the fix:

  • So instead of this setting
<VirtualHost *:443>
     ServerName cloud.nextcloud.com
     <IfModule mod_headers.c>
          Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
     </IfModule>
 </VirtualHost>

Now we have to do it like this:

<IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
     <VirtualHost *:443>
           ServerName cloud.nextcloud.com
     </VirtualHost>
</IfModule>

Tested this on my server and it works as expected.
Now we need more people testing this method and confirm this working. Then finally we can edit the wiki and put an end to this mess.

1 Like

It’s not. I have set it up like in your first example for years and never had any issues. Not sure what caused your issue, but you definitely don’t have to make every line of your VirtualHost config conditional to the precense of the headers module, except maybe if you want the whole config not to work anymore, in case the headers module got disabled. https://httpd.apache.org/docs/2.4/en/mod/core.html#ifmodule

Here are my working VirtualHosts based on this tutorial: (German)… I use this same exact config for a few years now and never had any issues:

001-cloud.mydomain.tld.conf
<VirtualHost *:80>
Servername cloud.mydomain.tld
DocumentRoot /var/www/html/nextcloud

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.mydomain.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
001-cloud.mydomain.tld-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cloud.mydomain.tld
DocumentRoot /var/www/html/nextcloud

<Directory /var/www/html/nextcloud/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
Satisfy Any
</Directory>

<IfModule mod_dav.c>
Dav off
</IfModule>

<Directory /var/nextcloud-data/>
Require all denied
</Directory>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [R=405,L]

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud

<IfModule mod_reqtimeout.c>
RequestReadTimeout body=0
</IfModule>

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/cloud.mydomain.tld/fullchain.pem
SSLCACertificateFile /etc/letsencrypt/live/cloud.mydomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.mydomain.tld/privkey.pem

SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLCipherSuite TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLOpenSSLConfCmd Curves X448:secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
</VirtualHost>
SSLUseStapling on
SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>