So I’m getting the following error on Administration Overview tab:
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips .
This is my code for the /etc/apache2/sites-enabled/nextcloud-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot "/var/www/nextcloud"
ServerName nextcloud
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
<Directory "/var/www/nextcloud/">
Options MultiViews FollowSymlinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
TransferLog /var/log/apache2/nextcloud_access.log
ErrorLog /var/log/apache2/nextcloud_error.log
ServerAlias cloud.domain.com
SSLCertificateFile /etc/letsencrypt/live/cloud.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So what seems to be the problem here? I’ve restarted apache2
for multiple times yet Nextcloud complains for HSTS not set. (Using curl
to check you’ll see HSTS is clearly not enabled as well)