ownCloud 9.1.0 : How to enable HSTS?

doc_answered

#1

Hi , I have installed ownCloud on my Raspberry pi B+ (OS : Raspbian 8 (jessie) ) and after successful installation , i went to admin option - there shows this warning message :

The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

My Question is: How can I enable HSTS and configure HTTP header to at least 15552000 seconds? I have searched many forums but now I am confused.

Please help me with detailed procedure.

Thanks in advance. Happy ownClouding! :stuck_out_tongue:

Server configuration
Operating system: Raspbian 8 Jessie
Web server: nginx
Database: MySQL
PHP version: 5
ownCloud version : 9.1.0
Updated from an older ownCloud or fresh install: Fresh Install


HTTPS Issues - Help Wanted
#2

Hi,

it worth to have a look at the nginx config provided in the official documentation which includes a HSTS part you can enable:

https://doc.owncloud.org/server/9.1/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security


#3

Hi @RealRancor,

Thanks for reply. The link you gave me is already visited. I am no expert in this - I just want to know in which file i need to add this code?

<VirtualHost *:443>
  ServerName cloud.owncloud.com
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>
 </VirtualHost>


can you give me detail procedure or guidance?

Thanks in advance.

Best regards-
Nazmul


#4

Sorry, have posted the wrong link. The correct link would be:

https://doc.owncloud.org/server/9.1/admin_manual/installation/nginx_owncloud_9x.html

as you're on nginx.


#5

Dear @RealRancor,

Thanks for your awesome response. I just saw the codes and just one question - should i just put this code-

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>


after the line below? (i mean line below server name)-

server {
    listen 443 ssl;
    server_name cloud.example.com;

Thanks again.

Best regards-
Nazmul


#6

You don't want to (and can't) use apache stuff in nginx. Please read my second post and forget the first post with the link.


#7

Dear @RealRancor,

Many many thanks for your info. I got confused. That's why I was making same mistakes. I will use codes you suggested and let you know if it works.

Thanks again.

Best regards-
Nazmul


#8

Yeah, that was my fault to post a wrong link. :slight_frown:


#9

Dear @RealRancor,

You are awesome. your code works. Many many thanks. :smiley:

Best regards-
Nazmul


#10

2 posts were split to a new topic: Set HSTS header on apache fails


#11