ownCloud 9.1.0 : How to enable HSTS?



Hi , I have installed ownCloud on my Raspberry pi B+ (OS : Raspbian 8 (jessie) ) and after successful installation , i went to admin option - there shows this warning message :

The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

My Question is: How can I enable HSTS and configure HTTP header to at least 15552000 seconds? I have searched many forums but now I am confused.

Please help me with detailed procedure.

Thanks in advance. Happy ownClouding! :stuck_out_tongue:

Server configuration
Operating system: Raspbian 8 Jessie
Web server: nginx
Database: MySQL
PHP version: 5
ownCloud version : 9.1.0
Updated from an older ownCloud or fresh install: Fresh Install

HTTPS Issues - Help Wanted


it worth to have a look at the nginx config provided in the official documentation which includes a HSTS part you can enable:



Hi @RealRancor,

Thanks for reply. The link you gave me is already visited. I am no expert in this - I just want to know in which file i need to add this code?

<VirtualHost *:443>
  ServerName cloud.owncloud.com
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

can you give me detail procedure or guidance?

Thanks in advance.

Best regards-


Sorry, have posted the wrong link. The correct link would be:


as you're on nginx.


Dear @RealRancor,

Thanks for your awesome response. I just saw the codes and just one question - should i just put this code-

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

after the line below? (i mean line below server name)-

server {
    listen 443 ssl;
    server_name cloud.example.com;

Thanks again.

Best regards-


You don't want to (and can't) use apache stuff in nginx. Please read my second post and forget the first post with the link.


Dear @RealRancor,

Many many thanks for your info. I got confused. That's why I was making same mistakes. I will use codes you suggested and let you know if it works.

Thanks again.

Best regards-


Yeah, that was my fault to post a wrong link. :slight_frown:


Dear @RealRancor,

You are awesome. your code works. Many many thanks. :smiley:

Best regards-


2 posts were split to a new topic: Set HSTS header on apache fails