Jovan StosicEnable HTTP Strict Transport Security¶
While redirecting all traffic to HTTPS is good, it may not completely prevent man-in-the-middle attacks. Thus administrators are encouraged to set the HTTP Strict Transport Security header, which instructs browsers to not allow any connection to the ownCloud instance using HTTP, and it attempts to prevent site visitors from bypassing invalid certificate warnings.
This can be achieved by setting the following settings within the Apache VirtualHost file containing the <VirtualHost *:443> entry:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
Source: Hardening and Security Guidance — ownCloud 9.1 Server Administration Manual 9.1 documentation
Hardening and Security Guidance — ownCloud 9.1 Server Administration Manual 9.1 documentation was last modified: February 1st, 2020 by