Sometimes we spend so much time protecting our websites that we forget about protecting our users. It is more efficient to be proactive than reactive.
For this reason its a good idea to set some security HTTP headers so that if your users do get targeted by a hacker that they won’t be able to as easily fool them into handing over their credentials.
First lets open up the LiteSpeed WebAdmin console by heading over to
Now click on the magnifying glass icon to edit the virtual host and navigate to context
Navigate to the context tab and hit add
Make the type “Static” and hit the skip icon to the upper-right to go next
Now fill out the following, in the URI section put “/” or any subdomain you want, set accessible radio button to yes and add the following in the Header Operations box
NOTE: It is a good idea to understand exactly what Content-Security-Policy does before adding it, as if you use this without checking first if your scripts are loading anything outside your domain name it will stop those scripts from loading in browsers.
Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: default-src https: X-Content-Type-Options "nosniff" always X-Frame-Options: SAMEORIGIN Referrer-Policy: no-referrer-when-downgrade Permissions-Policy: geolocation=(self ""),
Now you can hit the save button in the upper right and reload OpenLiteSpeed
To check that your headers have been set correctly, you can visit https://securityheaders.com
And hopefully you’ll have a nice A+ result!
If you would like to learn more about these headers I suggest researching them individually.
Especially if you would like to have a more fine-tuned setup.
Please note that some of these settings can break your website if it isn’t built to use HTTPS or if it has errors/bad-practices in its make-up, please research/test each individual header prior to going to production with them.