I would like to fix the warning message Strict-Transport-Security” HTTP header is not configured to at least “15552000” seconds. I read the documentation and all the nextcloud subjects about this message. Everywhere, I read that I should modify my apache configuration. I tried to modify files I think be apache configuration but apparently it is not the good file because it changes nothing.
I use nexcloud on a raspberry with apache2 installed with the command sudo apt-get install apache2.
I enabled a2enmod headers
I unziped nextcloud in /var/www/html/nextcloud
I followed exactly theses instructions : https://pimylifeup.com/raspberry-pi-nextcloud-server/
I use Let’s encrypt.
I added a bad command just add the following code at end of file /etc/apache2/sites-available/default-ssl.conf.
First i woul recommend that you read about what HSTS means
In short: If your user was connectet to your https site at least once in the lase 6 month (15552000sec = 6Month) it will redirect yout http connection to a https connection. It may be overrided be clearing the browsercache, but notheless hinders testing to some extend.
I give you this link for further read, but be aware of the implications:
Add the mentioned lines to e.g. /etc/apache2/sites-available/default-ssl.conf or the config you used to set up the ssl certificates etc. following your guide.
The guide gives steps to enable self-signed certificates. I strongly recommend to switch to letsencryt/certbot. The benefit is, that it automatically enables a stronger ssl configuration and users won’t face the “untrusted” warnings within their browsers when visiting your cloud.
Just apt install python-certbot-apache and certbot --apache --rsa-key-size 4096 and type in your domain info… done. It asks also if it should enable HSTS for you.
The guide offers to move data directory post-installation. Note that this can cause problems that way and it is strongly recommended to do it already inside the web installation wizard. So the database is not set up wrong first. I mention all about that here: Howto: Change / Move data directory after installation
Also the way the guides does, Nextcloud is installed with SQLite database. It is strongly recommended to use MySQL or better MariaDB for it on production systems. You need to set up the database first or use an automated occ installation command. But more on this if you need.
To be true, there are better guides out there and here in the forum or docs.nextcloud.com . If you have login there for comments, you could mention the hints there .