Adding HTTP Security Headers with OpenLiteSpeed and DirectAdmin

Call us now! +44 (0) 2037347158

Post published:20/10/2025
Post category:Linux general issues

Create a custom folder and then copy the file:

cp -p /usr/local/directadmin/data/templates/openlitespeed_vhost.conf /usr/local/directadmin/data/templates/custom/

1	cp -p /usr/local/directadmin/data/templates/openlitespeed_vhost.conf /usr/local/directadmin/data/templates/custom/

Edit it:

nano /usr/local/directadmin/data/templates/custom/openlitespeed_vhost.conf

1	nano /usr/local/directadmin/data/templates/custom/openlitespeed_vhost.conf

|CONTEXTS|
    |CUSTOM3|
|REALMS|

|CONTEXTS|

|CUSTOM3|

|REALMS|

Before writing the headers, make sure it belongs to the user diradmin:

cd /usr/local/directadmin/data/templates/custom/
touch openlitespeed_vhost.conf.CUSTOM.3.pre
chown diradmin:diradmin openlitespeed_vhost.conf.CUSTOM.3.pre

cd /usr/local/directadmin/data/templates/custom/

touch openlitespeed_vhost.conf.CUSTOM.3.pre

chown diradmin:diradmin openlitespeed_vhost.conf.CUSTOM.3.pre

Edit the file:

nano openlitespeed_vhost.conf.CUSTOM.3.pre

1	nano openlitespeed_vhost.conf.CUSTOM.3.pre

and add the following:

context / {
    location      $DOC_ROOT/
    allowBrowse     1
    extraHeaders   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  }
  context / {
    location        $DOC_ROOT/
    allowBrowse     1
    extraHeaders   X-Content-Type-Options nosniff
  }
  context / {
    location       $DOC_ROOT/
    allowBrowse    1
    extraHeaders    X-XSS-Protection 1;mode=block
  }
  context / {
    location    $DOC_ROOT/
    allowBrowse    1
    extraHeaders  X-Frame-Options SAMEORIGIN
  }
  context / {
    location      $DOC_ROOT/
    allowBrowse   1
    extraHeaders   Referrer-Policy strict-origin-when-cross-origin
  }
  context / {
    location    $DOC_ROOT/
    allowBrowse    1
    extraHeaders  Permissions-Policy geolocation=(), microphone=(), camera=()
  }
 context / { 
  location $DOC_ROOT/ 
  allowBrowse 1 
  extraHeaders Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self';"
 }

context / {

location $DOC_ROOT/

allowBrowse 1

extraHeaders Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

}

context / {

location $DOC_ROOT/

allowBrowse 1

extraHeaders X-Content-Type-Options nosniff

}

context / {

location $DOC_ROOT/

allowBrowse 1

extraHeaders X-XSS-Protection 1;mode=block

}

context / {

location $DOC_ROOT/

allowBrowse 1

extraHeaders X-Frame-Options SAMEORIGIN

}

context / {

location $DOC_ROOT/

allowBrowse 1

extraHeaders Referrer-Policy strict-origin-when-cross-origin

}

context / {

location $DOC_ROOT/

allowBrowse 1

extraHeaders Permissions-Policy geolocation=(), microphone=(), camera=()

}

context / {

location $DOC_ROOT/

allowBrowse 1

extraHeaders Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self';"

}

After adding the required headers, you must regenerate the domain configurations and restart OpenLiteSpeed:

cd /usr/local/directadmin/custombuild
./build rewrite_confs
systemctl restart lsws

cd /usr/local/directadmin/custombuild

./build rewrite_confs

systemctl restart lsws

Finally, it’s a good idea to hide the PHP version by editing the corresponding php.ini file:

expose_php = Off

1	expose_php = Off

You can check if your score has improved on the website securityheaders.com.

Source:
https://www.vpsbasics.com/cp/how-to-add-http-security-headers-with-openlitespeed-and-directadmin

Tags: add headers, Content-Security-Policy, CSP, custom folder, CUSTOM3, diradmin, DirectAdmin, expose_php Off, extraHeaders, hide PHP version, HSTS, HTTP security headers, improve security score, Linux server configuration, nosniff, OpenLiteSpeed, openlitespeed_vhost.conf, Permissions-Policy, php.ini, preload, Referrer-Policy, rewrite_confs, SAMEORIGIN, securityheaders.com, server security, ssl, Strict-Transport-Security, systemctl restart lsws, vhost configuration, web server hardening, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection