Enable HSTS in Owncloud

Hi,

I am running Owncloud 9.1 on a Raspberry Pi 2 with Apache and am getting the following warning:

The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

I have done as suggested here:

https://doc.owncloud.org/server/9.1/admin_manual/configuration_server/harden_server.html#enable-hsts-label

I edited my /etc/apache2/conf-enabled/owncloud-ssl.conf to look like this:

<VirtualHost *:80>
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName 127.0.0.1
SSLEngine on
SSLCertificateFIle /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
DocumentRoot /var/www/owncloud
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>

I have restarted Apache but am still getting the warning in Owncloud. Does anyone know if thIs is because I don't have a valid ssl certificate yet or may there be another reason please?

Thanks,

Adam

Hi,

just adding that to the .htaccess file won't help here. Have you verified:

This requires the mod_headers extension in Apache.

Hi,

Thanks. I haven't done anything to the .htaccess file yet, I just added the following to the owncloud-ssl.conf file:

<IfModule mod_headers.c>

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

Do I have to do both?

This is only checking if the mentioned Apache module is loaded, it won't load the needed module on its own.

Aha! Thanks very much. Yep, a2enmod headers did the trick.

Hi AdamD,

I am facing the same problem. Please help me- how did you enable HSTS? which file should I edit? Little detail procedure help me great.

Thanks in advance.

Hi,

the question of the OP was answered so closing here. Please follow the instructions provided here:

https://doc.owncloud.org/server/9.1/admin_manual/configuration_server/harden_server.html#enable-hsts-label

and also actually read the posts of the OP in this thread (he explained which file he edited to get this to work). If you don't understand the instructions provided at the link above create a new thread explaining what you don't understand.

1 Like