Securing your website is paramount in today’s digital landscape. One effective method to enhance your site’s security is by implementing HTTP security headers. Set up Security Headers in OpenLiteSpeed Web Server to take full advantage of this protection. OpenLiteSpeed, a high-performance open-source web server, allows administrators to configure these headers to protect against various web vulnerabilities. This guide will walk you through setting up essential security headers in OpenLiteSpeed.
What Are Security Headers?
Security response headers are implemented on both the client and server sides. They serve as directives that guide the browser on how to protect against potential threats, secure data transmission, control access to device features, and manage the exchange of information between websites.
By configuring these headers, you can significantly enhance protection against a range of attacks, including clickjacking, cookie hijacking, MIME-type sniffing, and more.
Configuring Security Headers in OpenLiteSpeed
OpenLiteSpeed offers flexibility in configuring security headers either through its WebAdmin Console or by editing configuration files directly.
Using the WebAdmin Console
- Access WebAdmin: Navigate to https://your-server:7080 and log in.
- Virtual Hosts: Go to Virtual Hosts > select your virtual host.
- Context Settings: Under Context, add a new context or edit an existing one.
- Choose type : static.
- URI: /
- Location: $DOC_ROOT/ (You can change this if you want to)
- Accessible: Yes
- Extra Headers:
| Strict-Transport-Security: max-age=31536000; includeSubDomainsContent-Security-Policy “upgrade-insecure-requests;connect-src *”Referrer-Policy strict-origin-when-cross-originX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection 1;mode=blockPermissions-Policy: geolocation=(self “”) |
- Click save and do graceful restart to apply the changes.
Add to .htaccess
You can also configure security response headers by adding them to the .htaccess file located in the root directory of your web application. Here’s an example:
| # Security Headers<IfModule mod_headers.c> Header set Content-Security-Policy “upgrade-insecure-requests” Header set Strict-Transport-Security “max-age=31536000; includeSubDomains” Header set X-XSS-Protection “1; mode=block” Header set X-Frame-Options “SAMEORIGIN” Header set X-Content-Type-Options “nosniff” Header set Referrer-Policy “strict-origin-when-cross-origin” Header set Permissions-Policy “geolocation=self”</IfModule> |
Verify Headers
Browser Developer Tools: Inspect the response headers in your browser’s developer console.
Online Tools: Use https://securityheaders.com/ to scan your site.
conclusion
If you’re unsure how to configure these headers or want to ensure your server is fully secured, it’s best to consult professionals. At Skynats, our expert team can help you Set up Security Headers in OpenLiteSpeed Web Server and implement the right security measures tailored to your setup. For advanced configurations and complete Web Server Hardening, feel free to contact us — we’re here to support you every step of the way.
