How To Set HSTS Header (Strict-Transport-Security) Using CyberPanel (OpenLiteSpeed)

Docs 04 - Websites
1
Custom/Extra Header can be used for many proposes like:
  1. Content Security policy
  2. Referrer policy
  3. HSTS (Strict-Transport-Security)
  4. Content-type options

If you are using the LiteSpeed Enterprise server you can add Extra headers to your htaccess file and the server will add it automatically just like you used to do with Apache as it is fully Apache Compatible.

However, if you are using OpenLiteSpeed it has to be done via OpenLiteSpeed WebAdmin or by adding it to vHost configuration for the website via CyberPanel.

Here are the steps to add a HSTS Header or extra header via vHost configuration from CyberPanel.

1. Log in to your CyberPanel Server

Visit https://<IP Address->:8090

Enter credentials to log in.

2. Open the website manager:

2.1 Click on the website and then click on the list websites.

Click on website and then click on list websites

2.2 Click on the manage button in front of your desired website.

Click on mange button in front of your desired website.
Click on mange button in front of your desired website.1086×179 9.61 KB

3. Edit vHost Configuration :

3.1 Click the vHost conf from the website manager.

Click the vHost conf from the configurations portion in website manager.
Click the vHost conf from the configurations portion in website manager.1270×210 14.3 KB

vHost Conf box will open, move on to Step 4 on how to add HSTS header.

4. How to set HSTS (Strict-Transport-Security) via vhost Conf:

HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

Go to the bottom of the vHost Conf box which you have opened in last step and paste following at the end of the file

context / {
  allowBrowse             1
  extraHeaders            Strict-Transport-Security "max-age=15552000; includeSubDomains;preload"

  rewrite  {

  }
  addDefaultCharset       off

  phpIniOverride  {

  }
}

1. The age parameter tells the browser how long this rule must be cached.
2. The includeSubDomains should only be added if you want to apply HSTS to subdomains too.
3. The preload parameter is used for inclusion in Google Chrome’s preload list.

5. How to verify extraHeaders configuration:

To verify extraHeaders configuration follow the steps:

4.1 Open Network tab:

1. Vist your website in any browser and open developer tools.

2. In developer tools click on Networks tab

Open network tab
Open network tab1024×204 67 KB

3. Click on the file with your domain name. like(abc.xyz)

1273×458 30.3 KB

4. Go to Network Tab and check headers for any request. You should the extra header you added in vHost conf.

1024×956 155 KB

1 Like
2

I followed this tutorial to the T but I still don’t see it in the response header. I cleared my cache, restarted the server, and verified the below code was added at the bottom of the file. I dropped it in, directly under the VirtualHost entry.

</VirtualHost>

context / {
  allowBrowse             1
  extraHeaders            Strict-Transport-Security "max-age=15552000; includeSubDomains;preload"
  rewrite  {
  }
  addDefaultCharset       off
  phpIniOverride  {
  }
}
3

This also didn’t work for me. Any suggestions on what could be changed?

Edit: nevermind. I have my domain going through Cloudflare. I configured it there.

4

it worked for me

image
image732×150 4.28 KB

i had an F now i have a D look like we have to make tuts about it, ajajajajajajjaaj, it was F before one step at the time

image
image1799×370 34.5 KB

5

Thanks, it worked for my site actualpost.com and in the same way I added other important security headers. Below are codes -

context / {
  allowBrowse             1
  extraHeaders            Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  rewrite  {
  }
  addDefaultCharset       off
  phpIniOverride  {
  }
}

context / {
  allowBrowse             1
  extraHeaders            Content-Security-Policy "upgrade-insecure-requests;"
  rewrite  {
  }
  addDefaultCharset       off
  phpIniOverride  {
  }
}

context / {
  allowBrowse             1
  extraHeaders            X-Content-Type-Options "nosniff"
  rewrite  {
  }
  addDefaultCharset       off
  phpIniOverride  {
  }
}

context / {
  allowBrowse             1
  extraHeaders            X-Frame-Options "SAMEORIGIN"
  rewrite  {
  }
  addDefaultCharset       off
  phpIniOverride  {
  }
}

context / {
  allowBrowse             1
  extraHeaders            Referrer-Policy "no-referrer-when-downgrade"
  rewrite  {
  }
  addDefaultCharset       off
  phpIniOverride  {
  }
}```
6

this code best working on main domine but sub domine not working
any soultion ?

7

Hi everone
kindly update plz

8

If you have LiteSpeed Enterprises then you can add security header code using . htaccess but OpenLiteSpeed do not support these.

So here are two options-

  1. Convert subdomain to website and then add security header using above method
  2. Use WordPress plugin
  3. Add these code to WordPress theme’s function file-

// Add security headers
add_action(‘wp_headers’, function() {
header(‘Strict-Transport-Security: max-age=31536000’);
header(‘X-XSS-Protection: 1; mode=block’);
header(‘X-Content-Type-Options: nosniff’);
header(‘X-Frame-Options: DENY’);
header(‘Content-Security-Policy: default-src 'self'’);
});

Make sure to customise above code as per your need