Applicable to:
- Plesk for Linux
Question
How to add headers to sw-engine delivered pages?
For instance:
CONFIG_TEXT: X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security
Answer
-
Connect to the server via SSH;
-
Modify
/etc/sw-cp-server/conf.d/plesk.conf
using any text editor (for example vi) and add required values to the server section:CONFIG_TEXT: server_names_hash_bucket_size 64;
server {
listen 8443 ssl;
listen 8880;
listen 127.0.0.1:8880 default_server;
include conf.d/*ipv6_ports.inc;
ssl_certificate /usr/local/psa/admin/conf/httpsd.pem;
ssl_certificate_key /usr/local/psa/admin/conf/httpsd.pem;
# XSS Protection
add_header X-XSS-Protection 1;
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
include conf.d/*plesk.inc;
include conf.d/*wpb.inc;
}Note: The above values are just an example. Syntax of the headers may be obtained from the nginx manual.
-
Restart
sw-cp-server
process:# service sw-cp-server reload
Comments
5 comments
X-XXS-Protection "1; mode=block" policy is already enabled and can't be overwritten using it.
How can I do that?
Thank you
Hello Alex,
Is it already enabled for Plesk pages (Plesk GUI) or your actual websites?
Hi, Anton;
I was talking about Plesk GUI. Even without the line add_header X-XSS-Protection 1; mode=block; on the /etc/sw-cp-server/conf.d/plesk.conf, when you look to the Plesk interface on the console or using an external checker like securityheaders.com it appears the X-XXS-Protection header enabled. If I add the line
add_header X-XSS-Protection 0;
it didn't overwrite the other one. How can I change it?
Thank you
Hello Alex,
Thank you for the clarification.
XSS-Protection header is indeed hardcoded into Plesk's PHP engine. To remove or modify it, you can use the following panel.ini directives:
[security]
xssProtection.enabled = true // add or not header
xssProtection.blockMode = true // add or not mode=block
xssProtection.reportingUri = false // add report block with uri from this param
Thank you so much, Anton!
Please sign in to leave a comment.