Where to add Security Headers for all hosts?

[UserMilan]

Hello To All,

Newbie here. I would like to know where I can add security headers for all existing and new hosts. I think it would be nice to have them set globally, rather than configuring them individually for each domain.

So far I know the syntax is

extraHeaders <<<END_extraHeaders
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy "upgrade-insecure-requests;connect-src *"
Referrer-Policy strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection 1;mode=block
Permissions-Policy: geolocation=(self "")
END_extraHeaders

I tried to paste it to httpd_config.conf, ccl.conf and several other files I also tried Copilot and ChatGPT. But no success.

Help is appreciated. Thank you.

Milan

 

[Cold-Egg]

No global policy for that, but you could consider using the include file method and apply it to all the virtual hosts.
https://docs.openlitespeed.org/config/advanced/includes/

For such general questions, please post it in general openlitespeed discussion thread.

 

[gizmo]

No global policy for that, but you could consider using the include file method and apply it to all the virtual hosts.

Hi @Cold-Egg, I know how to configure it individually for each virtual host. But for global scope would this not work, for example?

VHost Template centralConfigLog > Context > Static
URI: /
Location: $VH_ROOT/
Accessible: Yes
Header Operations:
Header always set Strict-Transport-Security: max-age=31536000; includeSubDomains
Header always set Content-Security-Policy "upgrade-insecure-requests;connect-src *"
Header always set Referrer-Policy strict-origin-when-cross-origin
Header always set X-Frame-Options: SAMEORIGIN
Header always set X-Content-Type-Options: nosniff
Header always set X-XSS-Protection 1;mode=block
Header always set Permissions-Policy: geolocation=(self "")

 

[Cold-Egg]

It would work if you used a virtual host template.