CSP Headers aren't being sent

[simba]

I am trying to add some CSP headers via .htaccess, and they don't seem to be working.

Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"

when I do a curl -I on the domain, none of these headers shows up at all. WordPress re-writes and LSCache seems to be working however.

 

[lsqtwrk]

Hi,

please check this post

https://forums.cyberpanel.net/discussion/88/tutorial-how-to-add-additional-http-header#latest

 

[simba]

Okay, I followed the instructions on that page and added the following to my / context


Content-Security-Policy default-src 'self'
X-XSS-Protection 1;mode=block
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options nosniff

But curl -I is still not showing any of the headers...

 

[lsqtwrk]

you did restart, right ?

 

[simba]

I did a graceful restart

 

[lsqtwrk]

I just tested , it works

[root@test ~]# curl -I https://xxxxxx
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Link: <https://xxxxx/index.php/wp-json/>; rel="https://api.w.org/"
X-Litespeed-Cache: hit
Date: Thu, 20 Sep 2018 20:29:50 GMT
Server: LiteSpeed
Content-Security-Policy: default-src 'self' data: 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://ajax.cloudflare.com
Connection: Keep-Alive

this is my setting

<code>Content-Security-Policy default-src 'self' data: 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://ajax.cloudflare.com</code>


Plain text in vhost configuration file:

<code>context / {
location /home/xxxxxxxx/public_html/
allowBrowse 1
extraHeaders Content-Security-Policy default-src 'self' data: 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://ajax.cloudflare.com

rewrite {

}
addDefaultCharset off

phpIniOverride {

}
}</code>

 

[simba]

Here's what's in mine, I edited the headers section to test similar to your example:

<code>
context / {
location /
allowBrowse 1

extraHeaders Content-Security-Policy default-src 'self'

indexFiles index.php

rewrite {
enable 1
inherit 1
rewriteFile /var/www/tailpuff/.htaccess
}
addDefaultCharset off

phpIniOverride {
php_value upload_max_filesize 64M
php_value post_max_size 64M
}
}

</code>

Did a graceful restart, but it is not showing the header:

<code>
HTTP/2 200
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
x-litespeed-cache: hit
server: LiteSpeed
date: Thu, 20 Sep 2018 20:38:22 GMT
</code>

 

[lsqtwrk]

try purge your cache and test again.

 

[simba]

I did a purge all in LSCache, no difference.

cURL is still not showing the header.

 

[lsqtwrk]

Then please submit a ticket here

 

[simba]

I also disabled LSCache just now to ensure that the headers are reflecting changes and that change did show up.

However I disabled HTTP/2 and selected 'none' and it's still showing HTTP/2. I noticed you're using HTTP/1.1 so I'm wondering if it could be a bug with HTTP/2 implementation.

 

[simba]

I found the issue. There was an error in the server error log about the location path being in the denied list.

I had to change location from / to $DOC_ROOT/, and now the header is displaying.

However, I think this is a bug? Because it says that $DOC_ROOT is assumed and can be omitted.

 

[lsqtwrk]

location /

This , I think , no , it's not bug , it should be absolute path on file system

 

[simba]

If that's the case then the instruction text should be updated to reflect that.

 

[lsqtwrk]

If that's the case then the instruction text should be updated to reflect that.

well , my mistake ,it seems to be a webadmin bug. , though I always use absolute path in there.