Articles in this section

How to add headers to Plesk Web Interface pages?

Anton Kuznetsov
Updated
kb: how-to Plesk for Linux ABT: Group A

Applicable to:

  • Plesk for Linux

Question

How to add headers to sw-engine delivered pages?

For instance:

CONFIG_TEXT: X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security

Answer

  1. Connect to the server via SSH;

  2. Modify /etc/sw-cp-server/conf.d/plesk.conf using any text editor (for example vi) and add required values to the server section:

    CONFIG_TEXT: server_names_hash_bucket_size 64;

    server {
    listen 8443 ssl;
    listen 8880;
    listen 127.0.0.1:8880 default_server;
    include conf.d/*ipv6_ports.inc;

    ssl_certificate /usr/local/psa/admin/conf/httpsd.pem;
    ssl_certificate_key /usr/local/psa/admin/conf/httpsd.pem;
    # XSS Protection
    add_header X-XSS-Protection 1;
    add_header X-Content-Type-Options "nosniff";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    include conf.d/*plesk.inc;
    include conf.d/*wpb.inc;
    }

    Note: The above values are just an example. Syntax of the headers may be obtained from the nginx manual.

  3. Restart sw-cp-server process:

    # service sw-cp-server reload

Was this article helpful?

Comments

8 comments
Date Votes
  • Avatar
    Alex Bosch

    X-XXS-Protection "1; mode=block" policy is already enabled and can't be overwritten using it.

    How can I do that?

    Thank you

    0
  • Avatar
    Anton Kuznetsov

    Hello Alex,

    Is it already enabled for Plesk pages (Plesk GUI) or your actual websites?

    0
  • Avatar
    Alex Bosch

    Hi, Anton;

    I was talking about Plesk GUI. Even without the line add_header X-XSS-Protection 1; mode=block; on the /etc/sw-cp-server/conf.d/plesk.conf, when you look to the Plesk interface on the console or using an external checker like securityheaders.com it appears the X-XXS-Protection header enabled. If I add the line 

    add_header X-XSS-Protection 0;

    it didn't overwrite the other one. How can I change it?

    Thank you

     

    0
  • Avatar
    Anton Kuznetsov

    Hello Alex,

    Thank you for the clarification.

    XSS-Protection header is indeed hardcoded into Plesk's PHP engine. To remove or modify it, you can use the following panel.ini directives:

    [security]

    xssProtection.enabled = true // add or not header

    xssProtection.blockMode = true // add or not mode=block

    xssProtection.reportingUri = false // add report block with uri from this param

    0
  • Avatar
    Alex Bosch

    Thank you so much, Anton!

    0
  • Avatar
    Deven T

    Can you advise on adding Content-Security-Policy header and default values for Plesk Web Interface pages?

    0
  • Avatar
    Anton Kuznetsov

    Hello Deven T,

    Please check the article below:

    https://support.plesk.com/hc/en-us/articles/12376955288983-What-are-the-safe-default-values-for-security-related-HTTP-headers-on-a-Plesk-server

    0
  • Avatar
    Cleber Saad

    Hello,

    For CSP, what's values are suggested to use in 8443 - plesk panel?

    0

Please sign in to leave a comment.