[Tutorial] How to add additional http header

qtwrk · December 10, 2017, 2:41am

so , after we were able to login to webadmin console , there is a lot of new advanced options for us.

for example , how to add http header to your website.

some http header , for example like HSTS is really useful nowadays.

login to console , go to Virtual Hosts , and select your site, as screenshot

now goes to “Context” tab , click “Add” , as you can see in screenshot

Add new context , type: Static, and click “Next”

now fulfill following required options , in this case http header needs to be site-wide , so

URI: / 
Location: /home/$VH_NAME/public_html
Accessible: Yes

Extra Header:

add the header you need.

since every webserver has its own syntax , so you may got it wrong first , usually you need to tweak with ; or space by adding or removing them , I will
list out some header I have confirmed working on OLS.

after added your headers , save it , and remember to restart OLS to take effect.

Examples of http header:

Content-Security-Policy default-src 'self' data: 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://ajax.cloudflare.com
X-XSS-Protection 1;mode=block
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
Strict-Transport-Security: max-age=15552000
X-Content-Type-Options nosniff
Public-Key-Pins 'pin-sha256="pin1"; pin-sha256="pin2"; max-age=2592000'

original posted here by myself , and translated by myself

daotiendung · May 18, 2018, 9:37am

Why i add in htacess it not working ?

usmannasir1 · May 18, 2018, 10:49am

Why i add in htacess it not working ?

OpenLiteSpeed does not honor these directives in .htaccess, you can set them via Webadmin.

Luke007 · March 29, 2019, 3:01pm

Is there any way to add additional headers at the server level?

qtwrk · March 31, 2019, 2:40pm

Is there any way to add additional headers at the server level?

not from what I know

KRV · April 8, 2021, 8:16am

Its works. But. If check on https://hstspreload.org/ will be displaying:
Warning: Unnecessary HSTS header over HTTP

If reading OWASP Security Docs, we will be understand that:

“The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. Remove the Strict-Transport-Security header from all HTTP responses and only send it via HTTPS connections.”

Question: how add Strict-Transport-Security only for 443?

deewinc · May 13, 2021, 2:00pm

It doesn’t work. Did something change over the years?

qtwrk · May 13, 2021, 2:01pm

Type your comment> @deewinc said:

It doesn’t work. Did something change over the years?

i just tested it again like 2, 3 days ago , it still works

https://openlitespeed.org/kb/how-to-set-up-custom-headers/

deewinc · May 13, 2021, 6:51pm

How to Set Up Custom Headers – OpenLiteSpeed

Actually, I did manage to setup the cache policy as explained the link that you’ve shared and it works.

But when I include the security headers, it doesn’t reflect.

marc · June 3, 2021, 9:16am

I’m trying to add Header Security to improve WordPress site performance tests. I’m using LScache and QUIC.Cloud for CDN.

I added the following to vHost Conf. It’s working correctly for the following, but not the others:

Strict-Transport-Security “max-age=15552000; includeSubDomains;preload”, and
X-XSS-Protection 1;mode=block

context / {
allowBrowse 1
extraHeaders Strict-Transport-Security “max-age=15552000; includeSubDomains;preload”
X-XSS-Protection 1;mode=block
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: script-src ‘self’

rewrite {

}
addDefaultCharset off

phpIniOverride {

}
}

marc · June 6, 2021, 5:52am

Type your comment> @marc said:

I’m trying to add Header Security to improve WordPress site performance tests. I’m using LScache and QUIC.Cloud for CDN.

I added the following to vHost Conf. It’s working correctly for the following, but not the others:

Strict-Transport-Security “max-age=15552000; includeSubDomains;preload”, and

X-XSS-Protection 1;mode=block

context / {
allowBrowse 1
extraHeaders Strict-Transport-Security “max-age=15552000; includeSubDomains;preload”
X-XSS-Protection 1;mode=block
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: script-src ‘self’

rewrite {

}
addDefaultCharset off

phpIniOverride {

}
}

Problem solved. My bad.
You cannot edit Security Headers in CyberPanel - must use OLS webadmin which I did not know about.
Next, I had a problem with the Content-Security-Policy causing the site to crash, but fixed after I changed to:
Content-Security-Policy default-src data: ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://www.google-analytics.com

RajDev-IN · March 11, 2023, 7:54am

I have added the code

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

But, getting this warning from here - https://hstspreload.org/