oC 9.1.4 question on HTTPS header settings

On the admin page, my oC 9.1.4 installation tells me to harden my HTTPS settings:

The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

The link points to

which explains how to "Enable HTTP Strict Transport Security". In there, it says to add the lines

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

to the .htaccess file (in the oC root folder, right?).

That's what I did, but I still get the initial warning. What am I doing wrong?

Thank you!

I assume you don't have mod_headers?
Doing exactly the same on my server, the warning disappeared.

What is 'mod_headers'? I don't think I have it unless it comes with a default installation.

See your link:

This requires the mod_headers extension in Apache.

->Having a look at the manual of apache will give you further information about this extension.

I saw the note, but was not sure what "this" in "this requires" refers to. I thought it relates to the subsequent sections? So the entire section "Enable HTTP Strict Transport Security" is only relevant for those that have the Apache extension?

Well, since I am using a hosted webservice, I don't have access to the web server itself.
So in this situation there is no point in me messing with ownCloud's .htaccess file?


If the extensions is loaded by your hoster you can use the .htaccess so there is a point to point you to ownClouds .htaccess file.

If this is a hosted webservice then you can do two things:

  1. Ignore this message
  2. Contact the support of your hoster asking for help with that

This config snippet is for the apache config. You have a hosted service and no access to the apache config. So you have to add just one line to your .htaccess file:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

If the apache mod_headers is not loaded, maybe you will get a "Internal Server Error". Then you have delete this line and live without HSTS.