Unable to enable HSTS even with proper configurations set

So I’m getting the following error on Administration Overview tab:

The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.

This is my code for the /etc/apache2/sites-enabled/nextcloud-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/nextcloud"
    ServerName nextcloud
        <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

    <Directory "/var/www/nextcloud/">
        Options MultiViews FollowSymlinks
        AllowOverride All
        Order allow,deny
        Allow from all

   TransferLog /var/log/apache2/nextcloud_access.log
   ErrorLog /var/log/apache2/nextcloud_error.log

ServerAlias cloud.domain.com
SSLCertificateFile /etc/letsencrypt/live/cloud.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

So what seems to be the problem here? I’ve restarted apache2 for multiple times yet Nextcloud complains for HSTS not set. (Using curl to check you’ll see HSTS is clearly not enabled as well)

Is mod_headers installed and enabled?

You didn’t provide many details on your environment. But that would be the primarily culprit (assuming you’ve restarted Apache recently).

My environment is Ubuntu 22.04.3, and yes I didn’t realize that mod_headers was enabled, after enabling mod_headers with the command a2enmod headers and systemctl restart apache2 all security checks passed. (that even solved the “transactional file locking” warning I had as well)

1 Like