Security and expire headers

[carlita]

I´ve been trying (with little success) to put some expire and security headers. Since my panel shows the "Include file detected in configuration file" warning, I can´t do it from there.
The expire headers I could workarund it by using the cloudflare TTL expire setting. But with the security headers I´m having a bad time.
Tried the CloudFlare workers with success, but the free version is limited and learned the hard way that my visitors can´t see the site after the limit is reached.
Also tried the .htaccess but as you can imagine that didn´t work.

<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "upgrade-insecure-requests;"

So the simple question... how can I instert security headers?

Any idea will be greatly appreciated

 

[carlita]

Ok I will respond my own question, but someone might find it useful
In the file /www/server/panel/vhost/openlitespeed/detail/yoursite.com.conf
(the "panel" folder I think its from my specific panel, you might have another name)

You have to add this code

context / {

  extraHeaders            <<<END_extraHeaders
 

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https:
X-Content-Type-Options "nosniff" always
X-Frame-Options: SAMEORIGIN
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(self ""),

  END_extraHeaders
}

Cheers

 

[Cold-Egg]

Correct, by the context method. https://openlitespeed.org/kb/how-to-set-up-custom-headers/