I've created a subdomain for nextcloud and all is working just fine. In the security recommendations within Nextcloud I keep getting: 'The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips'. Now I found that there are two options to get this fix. I've tried to set the following in .htaccess in the root of the subdomain:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
But this doesn't seem to do anything. I've checked a2enmod headers and it reports it already enabled, so nothing missing there. I've tried editing the /etc/apache2/sites-enabled/next.domain.conf and /etc/apache2/sites-available/next.domain.conf but that doesnt fix it either. I see that the default setting for Override All is: AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch is that enough to have this work?
Any ideas on how to get this fixed? What is the preferred way to configure this, at .htaccess or in sites-enabled (or anywhere)?