Enable HSTS in Owncloud

AdamD · October 14, 2016, 1:05pm

Hi,

I am running Owncloud 9.1 on a Raspberry Pi 2 with Apache and am getting the following warning:

The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

I have done as suggested here:

https://doc.owncloud.org/server/9.1/admin_manual/configuration_server/harden_server.html#enable-hsts-label

I edited my /etc/apache2/conf-enabled/owncloud-ssl.conf to look like this:

<VirtualHost *:80>
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName 127.0.0.1
SSLEngine on
SSLCertificateFIle /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
DocumentRoot /var/www/owncloud
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>

I have restarted Apache but am still getting the warning in Owncloud. Does anyone know if thIs is because I don't have a valid ssl certificate yet or may there be another reason please?

Thanks,

Adam

anon30676603 · October 14, 2016, 1:18pm

Hi,

just adding that to the .htaccess file won't help here. Have you verified:

This requires the mod_headers extension in Apache.

AdamD · October 14, 2016, 2:17pm

Hi,

Thanks. I haven't done anything to the .htaccess file yet, I just added the following to the owncloud-ssl.conf file:

<IfModule mod_headers.c>

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

Do I have to do both?

anon30676603 · October 14, 2016, 2:20pm

This is only checking if the mentioned Apache module is loaded, it won't load the needed module on its own.

AdamD · October 15, 2016, 9:47am

Aha! Thanks very much. Yep, a2enmod headers did the trick.

nazmulwanted · October 16, 2016, 1:06pm

Hi AdamD,

I am facing the same problem. Please help me- how did you enable HSTS? which file should I edit? Little detail procedure help me great.

Thanks in advance.

anon30676603 · October 16, 2016, 1:09pm

Hi,

the question of the OP was answered so closing here. Please follow the instructions provided here:

https://doc.owncloud.org/server/9.1/admin_manual/configuration_server/harden_server.html#enable-hsts-label

and also actually read the posts of the OP in this thread (he explained which file he edited to get this to work). If you don't understand the instructions provided at the link above create a new thread explaining what you don't understand.