ownCloud 9.1.0 : How to enable HSTS?

nazmulwanted · July 28, 2016, 4:16am

Hi , I have installed ownCloud on my Raspberry pi B+ (OS : Raspbian 8 (jessie) ) and after successful installation , i went to admin option - there shows this warning message :

The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

My Question is: How can I enable HSTS and configure HTTP header to at least 15552000 seconds? I have searched many forums but now I am confused.

Please help me with detailed procedure.

Thanks in advance. Happy ownClouding!

Server configuration
Operating system: Raspbian 8 Jessie
Web server: nginx
Database: MySQL
PHP version: 5
ownCloud version : 9.1.0
Updated from an older ownCloud or fresh install: Fresh Install

anon30676603 · July 28, 2016, 5:01am

Hi,

it worth to have a look at the nginx config provided in the official documentation which includes a HSTS part you can enable:

https://doc.owncloud.org/server/9.1/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security

nazmulwanted · July 28, 2016, 5:28am

Hi @RealRancor,

Thanks for reply. The link you gave me is already visited. I am no expert in this - I just want to know in which file i need to add this code?

<VirtualHost *:443>
  ServerName cloud.owncloud.com
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>
 </VirtualHost>

can you give me detail procedure or guidance?

Thanks in advance.

Best regards-
Nazmul

anon30676603 · July 28, 2016, 5:33am

Sorry, have posted the wrong link. The correct link would be:

https://doc.owncloud.org/server/9.1/admin_manual/installation/nginx_owncloud_9x.html

as you're on nginx.

nazmulwanted · July 28, 2016, 5:45am

Dear @RealRancor,

Thanks for your awesome response. I just saw the codes and just one question - should i just put this code-

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>

after the line below? (i mean line below server name)-

server {
    listen 443 ssl;
    server_name cloud.example.com;

Thanks again.

Best regards-
Nazmul

anon30676603 · July 28, 2016, 5:55am

You don't want to (and can't) use apache stuff in nginx. Please read my second post and forget the first post with the link.

nazmulwanted · July 28, 2016, 6:08am

Dear @RealRancor,

Many many thanks for your info. I got confused. That's why I was making same mistakes. I will use codes you suggested and let you know if it works.

Thanks again.

Best regards-
Nazmul

anon30676603 · July 28, 2016, 6:12am

Yeah, that was my fault to post a wrong link.

nazmulwanted · July 28, 2016, 6:19am

Dear @RealRancor,

You are awesome. your code works. Many many thanks.

Best regards-
Nazmul

tflidd · February 22, 2017, 10:51pm

2 posts were split to a new topic: Set HSTS header on apache fails