oC 9.1.4 question on HTTPS header settings

9.1.x

#1

On the admin page, my oC 9.1.4 installation tells me to harden my HTTPS settings:

The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

The link points to
https://doc.owncloud.org/server/9.1/admin_manual/configuration_server/harden_server.html#use-https

which explains how to "Enable HTTP Strict Transport Security". In there, it says to add the lines

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

to the .htaccess file (in the oC root folder, right?).

That's what I did, but I still get the initial warning. What am I doing wrong?

Thank you!


#2

I assume you don't have mod_headers?
Doing exactly the same on my server, the warning disappeared.


#3

What is 'mod_headers'? I don't think I have it unless it comes with a default installation.


#4

See your link:

This requires the mod_headers extension in Apache.

->Having a look at the manual of apache will give you further information about this extension.


#5

I saw the note, but was not sure what "this" in "this requires" refers to. I thought it relates to the subsequent sections? So the entire section "Enable HTTP Strict Transport Security" is only relevant for those that have the Apache extension?

Well, since I am using a hosted webservice, I don't have access to the web server itself.
So in this situation there is no point in me messing with ownCloud's .htaccess file?

Thanks!


#6

If the extensions is loaded by your hoster you can use the .htaccess so there is a point to point you to ownClouds .htaccess file.

If this is a hosted webservice then you can do two things:

  1. Ignore this message
  2. Contact the support of your hoster asking for help with that

#7

This config snippet is for the apache config. You have a hosted service and no access to the apache config. So you have to add just one line to your .htaccess file:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

If the apache mod_headers is not loaded, maybe you will get a "Internal Server Error". Then you have delete this line and live without HSTS.