I think I’ve mentioned it before, but I’m not a security expert. I’ve been really enjoying learning though! One of the things I was learning about today, was how to continue making my Nextcloud more secure. Fortunately, for guys like me, there is a “Hardening and security guide” online, and I’ve been making use of it.

One thing that my Nextcloud dashboard pointed out was that I needed to make some changes to prevent MITM (Man In The Middle) attacks. Of course, I was already using forced redirects to make every connection use HTTPS (port 443), even if the origin requested HTTP (port 80). But as the dashboard pointed out, and further reading revealed in the guide, I needed to enable HSTS, or HTTP Strict Transport Security. Seems like a mouthful to say, but according to the guide, it was really easy to implement.

All I had to do was add these lines to my Apache2 virtual host file for my Nextcloud page:

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

According to the guide, the big thing that this does is prevent the acceptance or use of invalid certificates. So if the certificate looks sketchy, the client will not be allowed to connect, hopefully reducing the chance of a MITM attack that use SSL stripping. You can read more about HSTS on Acunetix blog.

Linux – keep it simple.

2 Replies to “Nextcloud: More server hardening….”

  1. There is a fascinating article on the Internet called “Anatomy of a browser dilemma – how HSTS ‘supercookies’ make you choose between privacy or security” explaining how HSTS can actually used in a tricky way to do browser fingerprinting (privacy violation). I don’t think you own enough domains to pull it off, however.

    1. Very interesting! I read the article, but as you say, I would need at least 20 websites under my control to distinguish 1 million people groups. Since I have so few, I think we are safe! 😀
      But a very interesting concept non-the-less. I could see a place like Google making use of this. I think there are much easier methods of browser fingerprinting, though.

Leave a Reply

Your email address will not be published.