HSTS Setting for Virtual Server In Virtualmin

Operating system Debian Linux 10
Webmin version 1.973
Usermin version 1.823
Virtualmin version 6.16
Authentic theme version 19.73
PHP version 7.4.21


I have a warning from Nextcloud on my server running Virtualmin/Webmin and do not know where to change this setting:

  • The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.



This should be added on your Apache configuration, either global or host-based for SSL website.

<VirtualHost IP:443>

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"


After making changes to Apache config(s), it must be reloaded using UI or the following command:

systemctl restart apache2

Moreover, this change will require you to have enabled headers Apache module as well. This can be done by running:

a2enmod headers && systemctl restart apache2

… or using Servers ⇾ Apache Webserver: Configure Apache Modules page:

1 Like

@Ilia - Thank you for your reply.

I could not locate the virtual server’s .CONF file in the GUI so I added the line:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

In the Webmin → Servers → Apache Webserver → {virtual_server} 443 → Edit Directives and adding the above code to the end of the file.

I thought I had tried this already but it is possible I added it to the virtual server’s top domain and my Nextcloud install is in a sub-domain so maybe that is why it did not work that time.

It seems to be good now and I no longer see the warning in Nextcloud.

If there is a reason why I should not do this the way I did let me know.

Thanks again!