Warning about HSTS, but headers are set

ℹ️ Support
, ,
1

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 31.0.2
  • Operating system and version (e.g., Ubuntu 24.04):
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • Swag (latest version)
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • Always
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • Docker
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • Don’t know, it’s whatever the docker comes with

Summary of the issue you are facing:

A security warning appears in administration - overview:

Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds).

But this header is absolutely set:

image
image1252×840 110 KB

How am I supposed to add a header that is already there? :face_with_raised_eyebrow:

Steps to replicate it (hint: details matter!):

  1. Set security headers correctly
  2. Recieve A+ rating in the security scan
  3. Check administration - overview, and see this warning

Not sure what else I can say. It feels like a bog standard installation.

Log entries

Web Browser

EvalError: call to eval() blocked by CSP
EvalError: call to eval() blocked by CSP
Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'nonce-jozNO2EGoiyVJReH0YYTa7HhEaNEKayopUyqoJz7HR8='” (Missing 'unsafe-eval')
Source: ;(function r(e,t=!1){const o="6.0";let i… logging
Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'nonce-jozNO2EGoiyVJReH0YYTa7HhEaNEKayopUyqoJz7HR8='” (Missing 'unsafe-eval')
Source: ;(function n(e,t=!1){const o="6.0";let r… logging
EvalError: call to eval() blocked by CSP
Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'nonce-jozNO2EGoiyVJReH0YYTa7HhEaNEKayopUyqoJz7HR8='” (Missing 'unsafe-eval')
Source: ;(function n(e){let t=1e3,n=10;function … logging
EvalError: call to eval() blocked by CSP
Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'nonce-jozNO2EGoiyVJReH0YYTa7HhEaNEKayopUyqoJz7HR8='” (Missing 'unsafe-eval')
Source: ;(function n(e){let t=1e3,n=10;function … logging

CSP errors, probably doesn’t have anything to do with HSTS, but I’m new to this, so maybe.

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "upgrade.disable-web": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "192.168.10.3:8666",
            "nextcloud.[redacted]"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.2.1",
        "overwrite.cli.url": "https:\/\/nextcloud.[redacted]\/",
        "overwritehost": "nextcloud.[redacted]",
        "overwriteprotocol": "https",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "forbidden_filename_basenames": [
            "con",
            "prn",
            "aux",
            "nul",
            "com0",
            "com1",
            "com2",
            "com3",
            "com4",
            "com5",
            "com6",
            "com7",
            "com8",
            "com9",
            "com\u00b9",
            "com\u00b2",
            "com\u00b3",
            "lpt0",
            "lpt1",
            "lpt2",
            "lpt3",
            "lpt4",
            "lpt5",
            "lpt6",
            "lpt7",
            "lpt8",
            "lpt9",
            "lpt\u00b9",
            "lpt\u00b2",
            "lpt\u00b3"
        ],
        "forbidden_filename_characters": [
            "<",
            ">",
            ":",
            "\"",
            "|",
            "?",
            "*",
            "\\",
            "\/"
        ],
        "forbidden_filename_extensions": [
            " ",
            ".",
            ".filepart",
            ".part"
        ],
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_smtpport": "465",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": true,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "default_phone_region": "NL",
        "maintenance_window_start": 3,
        "loglevel": 2
    }
}

Apps

Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - encryption: 2.19.0
  - files_external: 1.23.0
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - user_ldap: 1.22.0

These are just the defaults btw. But since the template is asking…

2

Just to be sure you are not checking something local,
what do you get here?

3

Result:

image
image1785×834 110 KB

Maybe I missed the part about subdomains and preload… But what subdomain? My nextcloud instance is already on a subdomain and doesn’t poke around into another, afaik.

4

There are multiple .htaccess files, and one in particular where you need to add the section of text to fix this.

Find the. htaccess file within your NextCloud folder (I think that’s the one) and add this AT THE END of your .htaccess file. It should be in your Nextcloud folder (/var/www/html/nextcloud/.htaccess)

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000; always"
Options -Indexes
</IfModule>

Update: you have to insert this block after every NC update, because this file apparently gets updated as part of the update process.

1 Like
5

Keep in mind the check runs from your server (or container, in this case).

Usually it’s a DNS matter (or) the overwrite.cli.url is not reachable (so the fallback is used based on your trusted_domains which may, for example, bypass your external proxy or similar).

Run curl --head https://nextcloud.[redacted] from within your Nextcloud app container. Does the header show up there?

See Critical changes: Setup checks.

6

I am pretty sure OP is talking about scan.nextcloud.com.

Another “stupid” thing that gets easily overlooked, are these old results you see on the webpage? Did you force a rescan?

7

The very first thing in their post is about the built-in setup checks. That’s what I was responding to. :wink:

1 Like
8

I encountered this error in the log when downloading multiple files:

“Cannot modify header information - headers already sent by (output started at /var/www/html/3rdparty/deepdiver/zipstreamer/src/ZipStreamer.php:325) at /var/www/html/3rdparty/sabre/http/lib/Sapi.php#68”

9

Run curl --head https://nextcloud.[redacted] from within your Nextcloud app container. Does the header show up there?

Yup, the header is there. So I don’t (and frankly shouldn’t have to) fiddle with any htaccess files :slight_smile:

10

Yup, the header is there.

Just to double-check: When executed from within the container? (not just from your host)?

The check itself is right here:

Only other thing I can see what might throw it off would be whitespace characters after the number value, since it does not get trimmed.