Nextcloud Update 14.04 Security Warning



  • After updating to the new version, the overview section says this:

    There are some warnings regarding your setup.
    The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
    

    I'm using nginx as a reverse proxy so I added add_header Strict-Transport-Security: max-age=31536000; to the server block. nginx -t came back successful. Restarting the nginx service and am still receiving the error.



  • @wirestyle22 said in Nextcloud Update 14.04 Security Warning:

    After updating to the new version, the overview section says this:

    There are some warnings regarding your setup.
    The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
    

    I'm using nginx as a reverse proxy so I added add_header Strict-Transport-Security: max-age=31536000; to the server block. nginx -t came back successful. Restarting the nginx service and am still receiving the error.

    The max age needs to be at least 15552000 your number is way lower than that.



  • @dbeato said in Nextcloud Update 14.04 Security Warning:

    @wirestyle22 said in Nextcloud Update 14.04 Security Warning:

    After updating to the new version, the overview section says this:

    There are some warnings regarding your setup.
    The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
    

    I'm using nginx as a reverse proxy so I added add_header Strict-Transport-Security: max-age=31536000; to the server block. nginx -t came back successful. Restarting the nginx service and am still receiving the error.

    The max age needs to be at least 15552000 your number is way lower than that.

    Nevermind, I read one less 0.. But what about the engine on the actual Nextcloud server?



  • @dbeato said in Nextcloud Update 14.04 Security Warning:

    @dbeato said in Nextcloud Update 14.04 Security Warning:

    @wirestyle22 said in Nextcloud Update 14.04 Security Warning:

    After updating to the new version, the overview section says this:

    There are some warnings regarding your setup.
    The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
    

    I'm using nginx as a reverse proxy so I added add_header Strict-Transport-Security: max-age=31536000; to the server block. nginx -t came back successful. Restarting the nginx service and am still receiving the error.

    The max age needs to be at least 15552000 your number is way lower than that.

    Nevermind, I read one less 0.. But what about the engine on the actual Nextcloud server?

    I didn't touch nextcloud itself. My thought is that NC can't tell that this is happening because it doesn't have a file to reference on the host itself. Basically a false positive. I am wondering if what I did is enough hardening-wise though and I can just ignore the error.



  • @wirestyle22 said in Nextcloud Update 14.04 Security Warning:

    e positive. I am wondering if what I did is enough hardening-wise though and I can just ignore the error.

    I would assume you can ignore it since NextCloud will be going through your Nginx Reverse proxy.



  • @dbeato said in Nextcloud Update 14.04 Security Warning:

    @wirestyle22 said in Nextcloud Update 14.04 Security Warning:

    e positive. I am wondering if what I did is enough hardening-wise though and I can just ignore the error.

    I would assume you can ignore it since NextCloud will be going through your Nginx Reverse proxy.

    That's my thought. Just wanted to verify.



  • @wirestyle22 said in Nextcloud Update 14.04 Security Warning:

    Strict-Transport-Security

    If you are using Nginx Reverse Proxy, adding add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; in your server block should remove that warning.


Log in to reply