Strict-Transport-Security" HTTP header is not set

eglider86 · 16 April 2021 08:22

Hi,
I have a running Dietpi Nextcloud hosted on my rp3 using ddns.net. Everything works fine. Great program. Thank you.
However while updating have received a security message of “Strict-Transport-Security” HTTP header is not set". Tried to follow the provided link to fix it but, did not succeed. Searched the net the information was a bit inconsisten for me. I would like to ask for help if something is necessary to be done and if yes how.
thanks
Andrew

Joulinar · 16 April 2021 08:46

Hi,

Can you share some more information. Where do you have seen that message and which link you followed? As well did you restart your system after changing some parameters?

eglider86 · 16 April 2021 09:17

Settings/Administration/Overview
“The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips .”

security tips link

Joulinar · 16 April 2021 09:30

That’s a message inside Nextcloud? Can you share the link pls !

eglider86 · 16 April 2021 09:40

https://docs.nextcloud.com/server/20/admin_manual/installation/harden_server.html

eglider86 · 16 April 2021 09:41

Also there are some recommendation whereby i am not sure what to do.

"This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them.

bcmath
gmp
imagick

"

Joulinar · 16 April 2021 09:48

The message regarding the php modules are not relevant and can be ignored

One more question, what is the web server you are using?

eglider86 · 16 April 2021 10:26

It runs on rp3 DietPi behind my rooter with port forwarding. Is that what you asked?

Joulinar · 16 April 2021 10:38

not really

did you select any specific web server on DietPi or did you go with default settings?

Let’s check ss -tulpn | grep LISTEN

btw: HSTS could have been set using dietpi-letsencrypt

takefour · 17 April 2021 06:26

what is the web server you are using?

eglider86 · 17 April 2021 06:35

tcp     LISTEN   0        80             127.0.0.1:3306          0.0.0.0:*
tcp     LISTEN   0        511            127.0.0.1:6379          0.0.0.0:*
tcp     LISTEN   0        1024             0.0.0.0:80            0.0.0.0:*
tcp     LISTEN   0        1000             0.0.0.0:22            0.0.0.0:*
tcp     LISTEN   0        1024             0.0.0.0:443           0.0.0.0:*
tcp     LISTEN   0        511                [::1]:6379             [::]:*
tcp     LISTEN   0        1024                [::]:80               [::]:*
tcp     LISTEN   0        1000                [::]:22               [::]:*

eglider86 · 17 April 2021 06:45

yes i use letsencrypt. found that hsts, but after setting it to ON, it keeps falling back to OFF.

Joulinar · 17 April 2021 10:12

the output doesn’t seems to be complete as it’s missing the information about the program using these ports. Usually it should looks like this

root@DietPiProd:~# ss -tulpn | grep LISTEN
tcp     LISTEN   0        1000             0.0.0.0:22             0.0.0.0:*      users:(("dropbear",pid=706,fd=3))
tcp     LISTEN   0        256            127.0.0.1:5335           0.0.0.0:*      users:(("unbound",pid=527,fd=4))
tcp     LISTEN   0        4096             0.0.0.0:3000           0.0.0.0:*      users:(("docker-proxy",pid=1220,fd=4))
tcp     LISTEN   0        5              127.0.0.1:4711           0.0.0.0:*      users:(("pihole-FTL",pid=1858,fd=12))
tcp     LISTEN   0        5              127.0.0.1:6600           0.0.0.0:*      users:(("mpd",pid=847,fd=11))
tcp     LISTEN   0        4096             0.0.0.0:9002           0.0.0.0:*      users:(("docker-proxy",pid=1239,fd=4))
tcp     LISTEN   0        1024             0.0.0.0:80             0.0.0.0:*      users:(("lighttpd",pid=840,fd=4))
tcp     LISTEN   0        32               0.0.0.0:53             0.0.0.0:*      users:(("pihole-FTL",pid=1858,fd=7))
tcp     LISTEN   0        128              0.0.0.0:1333           0.0.0.0:*      users:(("mympd",pid=958,fd=3))
tcp     LISTEN   0        1000                [::]:22                [::]:*      users:(("dropbear",pid=706,fd=4))
tcp     LISTEN   0        4096                [::]:3000              [::]:*      users:(("docker-proxy",pid=1226,fd=4))
tcp     LISTEN   0        4096                [::]:9002              [::]:*      users:(("docker-proxy",pid=1247,fd=4))
tcp     LISTEN   0        1024                [::]:80                [::]:*      users:(("lighttpd",pid=840,fd=5))
tcp     LISTEN   0        32                  [::]:53                [::]:*      users:(("pihole-FTL",pid=1858,fd=9))
root@DietPiProd:~#

eglider86 · 17 April 2021 16:55

tcp     LISTEN   0        50               0.0.0.0:445           0.0.0.0:*       users:(("smbd",pid=20382,fd=31))
tcp     LISTEN   0        80             127.0.0.1:3306          0.0.0.0:*       users:(("mysqld",pid=19558,fd=26))
tcp     LISTEN   0        50               0.0.0.0:139           0.0.0.0:*       users:(("smbd",pid=20382,fd=32))
tcp     LISTEN   0        511            127.0.0.1:6379          0.0.0.0:*       users:(("redis-server",pid=19486,fd=7))
tcp     LISTEN   0        1024             0.0.0.0:80            0.0.0.0:*       users:(("lighttpd",pid=19650,fd=4))
tcp     LISTEN   0        1000             0.0.0.0:22            0.0.0.0:*       users:(("dropbear",pid=426,fd=3))
tcp     LISTEN   0        1024             0.0.0.0:443           0.0.0.0:*       users:(("lighttpd",pid=19650,fd=6))
tcp     LISTEN   0        50                  [::]:445              [::]:*       users:(("smbd",pid=20382,fd=29))
tcp     LISTEN   0        511                [::1]:6379             [::]:*       users:(("redis-server",pid=19486,fd=8))
tcp     LISTEN   0        50                  [::]:139              [::]:*       users:(("smbd",pid=20382,fd=30))
tcp     LISTEN   0        1024                [::]:80               [::]:*       users:(("lighttpd",pid=19650,fd=5))
tcp     LISTEN   0        1000                [::]:22               [::]:*       users:(("dropbear",pid=426,fd=4))

Joulinar · 17 April 2021 20:51

ok you are running lighttpd as web server. You could do following to have HSTS activated. Pls use user root

cd /etc/lighttpd/conf-enabled
ln -s ../conf-available/98-dietpi-hsts.conf 98-dietpi-hsts.conf
service lighttpd force-reload
dietpi-services restart

eglider86 · 17 April 2021 21:05

ok thanks, i will follow your instructions and will report back

eglider86 · 18 April 2021 21:13

i have found an app to take care of it and it solved it. HSTS Header. Warning is gone.
Thank you

Joulinar · 18 April 2021 21:20

maybe you like to share what you have done

eglider86 · 19 April 2021 09:16

NC install in Apps at Tools section there is this app, i have downloaded and enabled.

Joulinar · 19 April 2021 09:19

Maybe you like to share the name of this app?