I believe what it is asking for is described here. This can only be done in the requisite apache config or nginx config neither of which seems accessible from the snap commands nextcloud.* scripts.
Which option did you use? $ sudo nextcloud.enable-https self-signed?
Then I would say it’s normal to see that message.
I’ve been using the snap for almost a year with a domain I bought and using the $ sudo nextcloud.enable-https lets-encrypt, and I see no warnings at all.
Yes… A self signed cert is made fine but as I said the requisite rule in the config is not.
# Enable HSTS only if requested
<IfDefine EnableHSTS>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
</IfDefine>
I assume this is just because the developer chose that as the default. But it is not best practice hence the title of post. They should be following the recommendations of the Nextcloud security advisories.
HSTS and self-signed certs are not compatible; the snap won’t put you in that terrible situation. In the future, you’ll probably have more luck asking Nextcloud-snap-specific questions in the Nextcloud snap repo: