§2024-07-09

The error message you're seeing indicates that your Nextcloud instance does not have the Strict-Transport-Security (HSTS) HTTP header configured correctly. HSTS is a security feature that instructs browsers to only interact with your site using HTTPS, which can help prevent certain types of attacks.

1. Apache

Open your Apache configuration file for your Nextcloud site. This is usually located in /etc/apache2/sites-available/ or a similar directory.

Add the following line inside the block for your site:

# cd /etc/apache2/sites-enabled/
root@hc4Bookworm:/etc/apache2/sites-enabled# ls -l
total 0
lrwxrwxrwx 1 root root 35 Jul  8 10:13 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 33 Jul  8 11:01 nextcloud.conf -> ../sites-available/nextcloud.conf
root@hc4Bookworm:/etc/apache2/sites-enabled# nano nextcloud.conf 

# systemctl restart apache2

• nextcloud.conf as,

<VirtualHost *:48501>
    ServerName n2Bookworm.yushei.net
    DocumentRoot /var/www/nextcloud/

    # log files
    ErrorLog /var/log/apache2/n2Bookworm.yushei.net.local-error.log
    CustomLog /var/log/apache2/n2Bookworm.yushei.net.local-access.log combined

    <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All

        <IfModule mod_dav.c>
            Dav off
        </IfModule>

        <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        </IfModule>

        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
    </Directory>
</VirtualHost>

sudo a2enmod headers
sudo a2enmod rewrite