Unable to enable HSTS even with proper configurations set

raymond1227 · December 10, 2023, 4:28pm

So I’m getting the following error on Administration Overview tab:

The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips .

This is my code for the /etc/apache2/sites-enabled/nextcloud-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/nextcloud"
    ServerName nextcloud
        <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        </IfModule>

    <Directory "/var/www/nextcloud/">
        Options MultiViews FollowSymlinks
        AllowOverride All
        Order allow,deny
        Allow from all
   </Directory>

   TransferLog /var/log/apache2/nextcloud_access.log
   ErrorLog /var/log/apache2/nextcloud_error.log


ServerAlias cloud.domain.com
SSLCertificateFile /etc/letsencrypt/live/cloud.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

So what seems to be the problem here? I’ve restarted apache2 for multiple times yet Nextcloud complains for HSTS not set. (Using curl to check you’ll see HSTS is clearly not enabled as well)

jtr · December 10, 2023, 10:31pm

Is mod_headers installed and enabled?

You didn’t provide many details on your environment. But that would be the primarily culprit (assuming you’ve restarted Apache recently).

raymond1227 · December 11, 2023, 9:47am

My environment is Ubuntu 22.04.3, and yes I didn’t realize that mod_headers was enabled, after enabling mod_headers with the command a2enmod headers and systemctl restart apache2 all security checks passed. (that even solved the “transactional file locking” warning I had as well)