Operating system Debian Linux 10
Webmin version 1.973
Usermin version 1.823
Virtualmin version 6.16
Authentic theme version 19.73
PHP version 7.4.21
Hello,
I have a warning from Nextcloud on my server running Virtualmin/Webmin and do not know where to change this setting:
- The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips
.
Thanks
Hi,
This should be added on your Apache configuration, either global or host-based for SSL website.
<VirtualHost IP:443>
...
...
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</VirtualHost>
After making changes to Apache config(s), it must be reloaded using UI or the following command:
systemctl restart apache2
Moreover, this change will require you to have enabled headers Apache module as well. This can be done by running:
a2enmod headers && systemctl restart apache2
… or using Servers ⇾ Apache Webserver: Configure Apache Modules page:
@Ilia - Thank you for your reply.
I could not locate the virtual server’s .CONF file in the GUI so I added the line:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
In the Webmin → Servers → Apache Webserver → {virtual_server} 443 → Edit Directives and adding the above code to the end of the file.
I thought I had tried this already but it is possible I added it to the virtual server’s top domain and my Nextcloud install is in a sub-domain so maybe that is why it did not work that time.
It seems to be good now and I no longer see the warning in Nextcloud.
If there is a reason why I should not do this the way I did let me know.
Thanks again!
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
