Adding your own custom headers to your WordPress websites on OpenLiteSpeed (OLS) servers is quick and simple. Each of your websites has the following directory:
Here you’ll find the
headers.conf file, which is where you’ll find your website’s default security headers, and where you can add your own custom headers as well.
You don’t need to worry about the headers you add here getting overwritten, and if any of the default headers don’t fit your needs, you can remove them or comment them out using a hashtag at the beginning of the line.
LIMITATION VS NGINX
One limitation with OpenLiteSpeed compared to Nginx is that you can’t add a server-wide custom header on OLS. Each site needs to be edited individually.
Fortunately though, the use case for this is quite rare, and adding headers is easy.
headers.conf contains the following:
# Custom User Headers # Usage: one line per entry # Included in /usr/local/lsws/conf/vhosts/site.url/vhconf.conf Referrer-Policy strict-origin-when-cross-origin Strict-Transport-Security: max-age=31536000 X-Content-Type-Options nosniff X-Frame-Options SAMEORIGIN X-XSS-Protection 1; mode=block
Each header you add must be on its own line.
The header name should contain no spaces, and there should be a space between the name and the value. For example:
For more than value, separate them with a semi-colon like so:
Steve-Hosted True; Package-Name
You can also wrap multiple values in quotes as well:
Steve-Hosted "True; Package-Name"
Here’s an example of what some custom headers (a bunch of nonsense) I’ve added to a test website look like:
Adding Your Custom Header/s
STEP 1. SSH INTO YOUR SERVER
To get started you’ll first need to connect to your server via SSH. Please see the following guides to get started:
Step 1. Generate your SSH Key
STEP 2. ADD YOUR HEADER/S
headers.conf with the following command (replace “site.url” with your domain name):
Add each of your headers on their own line, then hit Ctrl+O and then press Enter to save the file. Then Ctrl+X to exit nano.
STEP 3. REBUILD YOUR VHCONF
As the rewrites.conf file has been modified, a specific OpenLiteSpeed command has to be executed in order for the changes to take effect (replace “site.url” with your domain name):
gpols site site.url
Checking Your Custom Header/s
If you know what this is, you don’t require a tutorial on how to check it, so we’ll skip this part.
One thing to be aware of, depending on what you’ve edited, is that previous headers may be cached by your browser and/or the server, and you may need to clear the cache and check the site in an incognito window to confirm the changes are in fact live on the website.