How To Set HSTS Header (Strict-Transport-Security) Using Nexi panel (OpenLiteSpeed) Print

Custom/Extra Header can be used for many purposes, like:

1. Content Security Policy
2. Referrer policy
3. HSTS (Strict-Transport-Security)
4. Content-type options

If you are using the LiteSpeed Enterprise server, you can add Extra headers to your .htaccess file, and the server will add them automatically, just like you used to do with Apache, as it is fully Apache Compatible.

However, if you are using OpenLiteSpeed, it has to be done via OpenLiteSpeed WebAdmin or by adding it to the vHost configuration for the website via Nexi Panel.

---

Table of Contents

1. Log in to Nexi Panel
2. Open the Website Manager
3. Edit vHost Configuration
4. Verify Headers.

Here are the steps to add an HSTS Header or extra header via vHost configuration from Nexi Panel.

---

1. Log in to your Nexi Panel Server

Visit https://<IP Address->:8090

Enter credentials to log in.

---

2. Open the website manager:

     2.1 Click on the website and then click on the list of websites.

      2.2 Click on the manage button in front of your desired website.

---

3.  Edit vHost Configuration :

       3.1 Click the vHost conf from the website manager.

vHost Conf box will open, move on to Step 4 on how to add HSTS header.

---

4. How to set HSTS (Strict-Transport-Security) via vhost Conf:

HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks, such as protocol downgrade attacks and cookie hijacking.

Go to the bottom of the vHost Conf bo,x, which you have opened in the last step, and paste the following at the end of the file

context / {
  allowBrowse             1
  extraHeaders            Strict-Transport-Security "max-age=15552000; includeSubDomains;preload"

  rewrite  {

  }
  addDefaultCharset       off

  phpIniOverride  {

  }
}

 1. The age parameter tells the browser how long this rule must be cached.
 2. The includeSubDomains should only be added if you want to apply HSTS to subdomains too.
 3. The preload parameter is used for inclusion in Google Chrome’s preload list.

---

5. How to verify the extraHeaders configuration:

To verify the extraHeaders configuration, follow the steps:

    4.1 Open Network tab:

        1. Visit your website in any browser and open developer tools.

        2. In developer tools, click on the Networks tab

         3. Click on the file with your domain name. like(abc.xyz)

4. Go to the Network Tab and check headers for any request. You should see the extra header you added in the vHost conf.