Strict-Transport-Security" HTTP header

[AndreScalaPT]

Ho everyone,

For the last three weeks I've been trying to do what Nextcloud asks me: " The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗."

I've read hundreds of questions about this and all the documentation, I've tried "/var/lib/docker/volumes/nextcloud_aio_apache" but no config file.

And force the redirect to HTTPS is in the same file?

Thank you,
kind regards,
André

[Zoey2936]

Are you using a reverse proxy?

[Zoey2936]

you could try to enable this here (sorry that the screenshot is in German):

[AndreScalaPT]

I never thought of this solution !!!!
So many hours creating/editing new installations and it was so simple!

Thank you very much,
Kind regards,
André

[sonarun]

Thank you so much! I have been trying to fix this issue, looking at my reverse proxy (caddy), docker configs, and everything. Of course, this issue would be found in the Cloudflare settings. I didn't understand why my Strict-Transport-Security kept being reset to 0.

[sabonim38]

I have tried to change it as above, but I still get the error...

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Any other tips???

[kathool]

same I had it set for 8 days now and it still gives me the error

[szaimen]

Solution:

#1697 (reply in thread)

you could try to enable this here (sorry that the screenshot is in German):

[njotha]

for my nextcloud 30 installation (Ubuntu bullseye, Raspberry Pi 5 8GB) none of all those many suggestions to solve the HSTS Problem has helped -- until I had the absolutely crazy idea to add the famous line not only to the <VirtualHost *:443> section of my apache2 config file, but to the <VirtualHost *:80> section as well. Luckily, I don't care for the crazyness of ideas, I just look for their results...

[naelfe]

I am running NC 30.0.4 on docker (via unraid) with a nginx reverse proxy. I was wondering for quite some time why I got the warning, because my reverse proxy was configured correctly and I could also see the header in my session (firefox) to be set correctly.
Today I had some time and was stumbling upon this thread.

While trying to check your different solutions, I also found this:
The ssl.conf in the nginx folder (user\appdata\nextcloud\nging\ssl.conf) had the following template in it.

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;

I simply removed the comment, restarted my docker and the warning is gone.

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

Maybe it will help somebody else as well :)