Strict-Transport-Security" HTTP header is not set

I have a running Dietpi Nextcloud hosted on my rp3 using Everything works fine. Great program. Thank you.
However while updating have received a security message of “Strict-Transport-Security” HTTP header is not set". Tried to follow the provided link to fix it but, did not succeed. Searched the net the information was a bit inconsisten for me. I would like to ask for help if something is necessary to be done and if yes how.


Can you share some more information. Where do you have seen that message and which link you followed? As well did you restart your system after changing some parameters?

“The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips :arrow_upper_right:.”

security tips link

That’s a message inside Nextcloud? Can you share the link pls !

Also there are some recommendation whereby i am not sure what to do.

"This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them.



The message regarding the php modules are not relevant and can be ignored

One more question, what is the web server you are using?

It runs on rp3 DietPi behind my rooter with port forwarding. Is that what you asked?

not really :slight_smile:

did you select any specific web server on DietPi or did you go with default settings?

Let’s check ss -tulpn | grep LISTEN

btw: HSTS could have been set using dietpi-letsencrypt :wink:

what is the web server you are using?

tcp     LISTEN   0        80   *
tcp     LISTEN   0        511  *
tcp     LISTEN   0        1024     *
tcp     LISTEN   0        1000     *
tcp     LISTEN   0        1024    *
tcp     LISTEN   0        511                [::1]:6379             [::]:*
tcp     LISTEN   0        1024                [::]:80               [::]:*
tcp     LISTEN   0        1000                [::]:22               [::]:*

yes i use letsencrypt. found that hsts, but after setting it to ON, it keeps falling back to OFF.

the output doesn’t seems to be complete as it’s missing the information about the program using these ports. Usually it should looks like this

root@DietPiProd:~# ss -tulpn | grep LISTEN
tcp     LISTEN   0        1000      *      users:(("dropbear",pid=706,fd=3))
tcp     LISTEN   0        256   *      users:(("unbound",pid=527,fd=4))
tcp     LISTEN   0        4096    *      users:(("docker-proxy",pid=1220,fd=4))
tcp     LISTEN   0        5     *      users:(("pihole-FTL",pid=1858,fd=12))
tcp     LISTEN   0        5     *      users:(("mpd",pid=847,fd=11))
tcp     LISTEN   0        4096    *      users:(("docker-proxy",pid=1239,fd=4))
tcp     LISTEN   0        1024      *      users:(("lighttpd",pid=840,fd=4))
tcp     LISTEN   0        32        *      users:(("pihole-FTL",pid=1858,fd=7))
tcp     LISTEN   0        128     *      users:(("mympd",pid=958,fd=3))
tcp     LISTEN   0        1000                [::]:22                [::]:*      users:(("dropbear",pid=706,fd=4))
tcp     LISTEN   0        4096                [::]:3000              [::]:*      users:(("docker-proxy",pid=1226,fd=4))
tcp     LISTEN   0        4096                [::]:9002              [::]:*      users:(("docker-proxy",pid=1247,fd=4))
tcp     LISTEN   0        1024                [::]:80                [::]:*      users:(("lighttpd",pid=840,fd=5))
tcp     LISTEN   0        32                  [::]:53                [::]:*      users:(("pihole-FTL",pid=1858,fd=9))
tcp     LISTEN   0        50      *       users:(("smbd",pid=20382,fd=31))
tcp     LISTEN   0        80   *       users:(("mysqld",pid=19558,fd=26))
tcp     LISTEN   0        50      *       users:(("smbd",pid=20382,fd=32))
tcp     LISTEN   0        511  *       users:(("redis-server",pid=19486,fd=7))
tcp     LISTEN   0        1024     *       users:(("lighttpd",pid=19650,fd=4))
tcp     LISTEN   0        1000     *       users:(("dropbear",pid=426,fd=3))
tcp     LISTEN   0        1024    *       users:(("lighttpd",pid=19650,fd=6))
tcp     LISTEN   0        50                  [::]:445              [::]:*       users:(("smbd",pid=20382,fd=29))
tcp     LISTEN   0        511                [::1]:6379             [::]:*       users:(("redis-server",pid=19486,fd=8))
tcp     LISTEN   0        50                  [::]:139              [::]:*       users:(("smbd",pid=20382,fd=30))
tcp     LISTEN   0        1024                [::]:80               [::]:*       users:(("lighttpd",pid=19650,fd=5))
tcp     LISTEN   0        1000                [::]:22               [::]:*       users:(("dropbear",pid=426,fd=4))

ok you are running lighttpd as web server. You could do following to have HSTS activated. Pls use user root

cd /etc/lighttpd/conf-enabled
ln -s ../conf-available/98-dietpi-hsts.conf 98-dietpi-hsts.conf
service lighttpd force-reload
dietpi-services restart

ok thanks, i will follow your instructions and will report back

i have found an app to take care of it and it solved it. HSTS Header. Warning is gone.
Thank you

maybe you like to share what you have done :wink:

NC install in Apps at Tools section there is this app, i have downloaded and enabled.

Maybe you like to share the name of this app?