I think I’ve mentioned it before, but I’m not a security expert. I’ve been really enjoying learning though! One of the things I was learning about today, was how to continue making my Nextcloud more secure. Fortunately, for guys like me, there is a “Hardening and security guide” online, and I’ve been making use of it.
One thing that my Nextcloud dashboard pointed out was that I needed to make some changes to prevent MITM (Man In The Middle) attacks. Of course, I was already using forced redirects to make every connection use HTTPS (port 443), even if the origin requested HTTP (port 80). But as the dashboard pointed out, and further reading revealed in the guide, I needed to enable HSTS, or HTTP Strict Transport Security. Seems like a mouthful to say, but according to the guide, it was really easy to implement.
All I had to do was add these lines to my Apache2 virtual host file for my Nextcloud page:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
According to the guide, the big thing that this does is prevent the acceptance or use of invalid certificates. So if the certificate looks sketchy, the client will not be allowed to connect, hopefully reducing the chance of a MITM attack that use SSL stripping. You can read more about HSTS on Acunetix blog.
Linux – keep it simple.