Hello, I just updated my OwnCloud installation to the newest version 8.1 and the admin panel warns me that Code: The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips. According to their security tips, I am supposed to add the following directive within the Apache VirtualHost file: Code: <VirtualHost *:443> ServerName cloud.owncloud.com Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </VirtualHost> Should I go and alter the corresponding vhost file manually in terminal or is there a more elegant way to add this directive through the ISPConfig interface? Thank you!
Never edit a vhost file manually, all manual changes will get removed automatically. if you want to add a config snippet into the vhost, then do this trough the apache directives of the website or by modifying the global vhost master template.
Hi Till, I figured as much about manually editing the vhost files. However, when I entered the whole <Virtual Host> directive (with the corresponding changes for my domain) and proceeded to restart Apache, the process failed and said that said directive cannot be added within a virtual host. Then I only added the line "Header always add..." outside any tags, but that didn't seem to affect ownCloud, as the red warning that HSPS was not enabled. Could you give me a hint how to properly add this? Thanks!
The line that needs to be added is: Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Same problem here. Adding Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" in Apache Directives ist not working. Ispconfig creates a host.vhost.err file and falls back to the old vhost-file. Content of my Apache Directives: Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) h ttps://%{SERVER_NAME}/$1 [R,L] As sure without the gap betwenn h and t. But howtoforge dont allow me to post "links". PHP-Modul is Fast-CGI. Didnt found a solution till now.
Hi Ok, this works for me, too over http-- but is there a possibility to get it working with the .htaccess-file? There are many examples on the internet but nothing of them works in my installation. Is this possible to set Strict-transport-security in htaccess at all? best regards dm
@Jesse Norell Thank you! But my ownCloud still says: I've put: Code: Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" in my Apache Directives. What am I missing?
I'm getting: Code: Cannot modify header information - headers already sent by (output started at /var/www/clients/client1/web3/web/3rdparty/sabre/http/lib/Sapi.php:70) at /var/www/clients/client1/web3/web/3rdparty/sabre/http/lib/Sapi.php#58 after putting: Code: Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" in Apache Directives
Actually, one shout put: Code: <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule> in Apache Directives
I just wanted to add that the code above also allows sending the HSTS header over HTTP which is not recommended. It should only be sent over HTTPS. You can do this by adding Code: env=HTTPS to the end of the directive. The complete directive should look like this... Code: Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" env=HTTPS This will remove the warning about sending the HSTS header over HTTP if you are trying to add a site to Chromes preload list.
