[Tutorial] How to add additional http header — CyberPanel - WebHosting Control Panel for OpenLiteSpeed

[Tutorial] How to add additional http header

edited December 2017 in Tutorials

so , after we were able to login to webadmin console , there is a lot of new advanced options for us.

for example , how to add http header to your website.

some http header , for example like HSTS is really useful nowadays.


login to console , go to Virtual Hosts , and select your site, as screenshot


now goes to "Context" tab , click "Add" , as you can see in screenshot


Add new context , type: Static, and click "Next"


now fulfill following required options , in this case http header needs to be site-wide , so

URI: / 
Location: /home/$VH_NAME/public_html
Accessible: Yes

Extra Header:

add the header you need.

since every webserver has its own syntax , so you may got it wrong first , usually you need to tweak with ; or space by adding or removing them , I will
list out some header I have confirmed working on OLS.

after added your headers , save it , and remember to restart OLS to take effect.

Examples of http header:

Content-Security-Policy default-src 'self' data: 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://ajax.cloudflare.com
X-XSS-Protection 1;mode=block
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
Strict-Transport-Security: max-age=15552000
X-Content-Type-Options nosniff
Public-Key-Pins 'pin-sha256="pin1"; pin-sha256="pin2"; max-age=2592000'

original posted here by myself , and translated by myself :)


  • Why i add in htacess it not working ?
  • Why i add in htacess it not working ?

    OpenLiteSpeed does not honor these directives in .htaccess, you can set them via Webadmin.
  • Is there any way to add additional headers at the server level?
  • Luke007 said:

    Is there any way to add additional headers at the server level?

    not from what I know
  • Its works. But. If check on https://hstspreload.org/ will be displaying:
    Warning: Unnecessary HSTS header over HTTP

    If reading OWASP Security Docs, we will be understand that:

    "The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. Remove the Strict-Transport-Security header from all HTTP responses and only send it via HTTPS connections."

    Question: how add Strict-Transport-Security only for 443?
  • It doesn't work. Did something change over the years?
  • Type your comment> @deewinc said:
    > It doesn't work. Did something change over the years?

    i just tested it again like 2, 3 days ago , it still works

  • >
    > https://openlitespeed.org/kb/how-to-set-up-custom-headers/

    Actually, I did manage to setup the cache policy as explained the link that you've shared and it works.

    But when I include the security headers, it doesn't reflect.
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!