HSTS header app not working about cloud_hsts HOT 12 CLOSED

Which server do you use? In case you are using apache, is the headers module available?

from cloud_hsts.

Plesk shared server with Nginx MariaDB

from cloud_hsts.

I have the same problem on my nextcloud (https://cloninger.cloud). App is installed and enabled in NC, but does not show in headers. Running Apache 2.4.43.

Do not have mod_headers as /etc/ is not writable by me. (virtual Linux host). Can't sudo, cannot restart Apache.

Thanks

from cloud_hsts.

Weird. It would be nice if you could add some debug code to the app, so that we can get the reason for this malfunction.

Just add the following to the end of appinfo/app.php and log for the messages in your log (enable debug log):

\OC::$server->getLogger()->debug(isModHeadersAvailable() ? 'Mod Headers is available' : 'Mod Headers is NOT available');
\OC::$server->getLogger()->debug(isHTTPS() ? 'Served via httpS' : 'Served via http');

from cloud_hsts.

If it is a server side config then session var session.use_strict_mode is set to 0 on my servers

from cloud_hsts.

@sualko I made the change as shown in appinfo/app.php at the bottom. Logging was already on.

There is no log message appearing. What would trigger the message?

I loaded in a private instance and nothing showed in the logs.
Logged out as admin and back in again. Nothing.
Disabled, then enabled HSTS Header (0.5.0)
Used securityheaders.com to load the site and still getting HSTS notice. Nothing in the logs.
Moved the message to the top of app.php, thinking maybe a return or exception happened. No message in logs.

Is it possible the app isn't loading at all? I'm assuming this goes into the log at nextclouddata/nextcloud.log?

I'm running 19.0.1 (Stable channel). PHP 7.4.8. I don't really have a lot of apps installed. At the moment, it's just a Proof of Concept for myself.

from cloud_hsts.

Just added these lines to .htaccess

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000; preload"
</IfModule>

Case closed for me, no need for module.
@sualko thank you

from cloud_hsts.

@SarahDela I can confirm that also works for me. Thank you!

@sualko It appears that my .htaccess also has this bit, so that may be why it wasn't working.

<IfModule mod_env.c>
    SetEnv modHeadersAvailable true
</IfModule>

from cloud_hsts.

ModHeaders is always the preferred method, therefore this app will not add any header if the module is available. If you can add it via htaccess, everything is fine.

from cloud_hsts.

Hello @sualko I have in my /var/www/nextcloud/.htaccess added:

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000; preload"
</IfModule>

I disable:
#SetEnv modHeadersAvailable true
I install HSTS app from Nextcloud Appstore but still have that warning. What can I do to make it work?
Regards.

from cloud_hsts.

@PrzemekSkw

ModHeaders is always the preferred method, therefore this app will not add any header if the module is available. If you can add it via htaccess, everything is fine.

from cloud_hsts.

Hi @sualko I have option in Dietpi OS to enable HSTS without eny other operations. I forget about it. Sorry.
Thanks.

from cloud_hsts.