Nextcloud Update 14.04 Security Warning
-
After updating to the new version, the overview section says this:
There are some warnings regarding your setup. The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.I'm using nginx as a reverse proxy so I added
add_header Strict-Transport-Security: max-age=31536000;to the server block.nginx -tcame back successful. Restarting the nginx service and am still receiving the error. -
@wirestyle22 said in Nextcloud Update 14.04 Security Warning:
After updating to the new version, the overview section says this:
There are some warnings regarding your setup. The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.I'm using nginx as a reverse proxy so I added
add_header Strict-Transport-Security: max-age=31536000;to the server block. nginx -t came back successful. Restarting the nginx service and am still receiving the error.The max age needs to be at least 15552000 your number is way lower than that.
-
@dbeato said in Nextcloud Update 14.04 Security Warning:
@wirestyle22 said in Nextcloud Update 14.04 Security Warning:
After updating to the new version, the overview section says this:
There are some warnings regarding your setup. The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.I'm using nginx as a reverse proxy so I added
add_header Strict-Transport-Security: max-age=31536000;to the server block. nginx -t came back successful. Restarting the nginx service and am still receiving the error.The max age needs to be at least 15552000 your number is way lower than that.
Nevermind, I read one less 0.. But what about the engine on the actual Nextcloud server?
-
@dbeato said in Nextcloud Update 14.04 Security Warning:
@dbeato said in Nextcloud Update 14.04 Security Warning:
@wirestyle22 said in Nextcloud Update 14.04 Security Warning:
After updating to the new version, the overview section says this:
There are some warnings regarding your setup. The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.I'm using nginx as a reverse proxy so I added
add_header Strict-Transport-Security: max-age=31536000;to the server block. nginx -t came back successful. Restarting the nginx service and am still receiving the error.The max age needs to be at least 15552000 your number is way lower than that.
Nevermind, I read one less 0.. But what about the engine on the actual Nextcloud server?
I didn't touch nextcloud itself. My thought is that NC can't tell that this is happening because it doesn't have a file to reference on the host itself. Basically a false positive. I am wondering if what I did is enough hardening-wise though and I can just ignore the error.
-
@wirestyle22 said in Nextcloud Update 14.04 Security Warning:
e positive. I am wondering if what I did is enough hardening-wise though and I can just ignore the error.
I would assume you can ignore it since NextCloud will be going through your Nginx Reverse proxy.
-
@dbeato said in Nextcloud Update 14.04 Security Warning:
@wirestyle22 said in Nextcloud Update 14.04 Security Warning:
e positive. I am wondering if what I did is enough hardening-wise though and I can just ignore the error.
I would assume you can ignore it since NextCloud will be going through your Nginx Reverse proxy.
That's my thought. Just wanted to verify.
-
@wirestyle22 said in Nextcloud Update 14.04 Security Warning:
Strict-Transport-Security
If you are using Nginx Reverse Proxy, adding
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";in your server block should remove that warning.
