CSP Headers aren't being sent

I am trying to add some CSP headers via .htaccess, and they don't seem to be working.

Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"

when I do a curl -I on the domain, none of these headers shows up at all. WordPress re-writes and LSCache seems to be working however.
Okay, I followed the instructions on that page and added the following to my / context

Content-Security-Policy default-src 'self'
X-XSS-Protection 1;mode=block
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options nosniff

But curl -I is still not showing any of the headers...


I just tested , it works

[root@test ~]# curl -I https://xxxxxx
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Link: <https://xxxxx/index.php/wp-json/>; rel="https://api.w.org/"
X-Litespeed-Cache: hit
Date: Thu, 20 Sep 2018 20:29:50 GMT
Server: LiteSpeed
Content-Security-Policy: default-src 'self' data: 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://ajax.cloudflare.com
Connection: Keep-Alive

this is my setting

<code>Content-Security-Policy default-src 'self' data: 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://ajax.cloudflare.com</code>

Plain text in vhost configuration file:

<code>context / {
location /home/xxxxxxxx/public_html/
allowBrowse 1
extraHeaders Content-Security-Policy default-src 'self' data: 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://ajax.cloudflare.com

rewrite {

addDefaultCharset off

phpIniOverride {

Here's what's in mine, I edited the headers section to test similar to your example:

context / {
location /
allowBrowse 1

extraHeaders Content-Security-Policy default-src 'self'

indexFiles index.php

rewrite {
enable 1
inherit 1
rewriteFile /var/www/tailpuff/.htaccess
addDefaultCharset off

phpIniOverride {
php_value upload_max_filesize 64M
php_value post_max_size 64M


Did a graceful restart, but it is not showing the header:

HTTP/2 200
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
x-litespeed-cache: hit
server: LiteSpeed
date: Thu, 20 Sep 2018 20:38:22 GMT
I also disabled LSCache just now to ensure that the headers are reflecting changes and that change did show up.

However I disabled HTTP/2 and selected 'none' and it's still showing HTTP/2. I noticed you're using HTTP/1.1 so I'm wondering if it could be a bug with HTTP/2 implementation.
I found the issue. There was an error in the server error log about the location path being in the denied list.

I had to change location from / to $DOC_ROOT/, and now the header is displaying.

However, I think this is a bug? Because it says that $DOC_ROOT is assumed and can be omitted.