webuzo-small
Webuzo
buy
Enable HSTS on webuzo server

Introduction

This article will detail the necessary steps to enable HSTS on a webuzo server.

Procedure

To enable HSTS, please use the below steps:
1) Using SSH or the webuzo File Manager, navigate to the ~/public_html directory.
2) Use your preferred text editor to open the .htaccess file.
   If the .htaccess file does not already exist, create it.
3) Copy the following line, and then paste it into the .htaccess file:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always set X-Frame-Options "sameorigin"
Header setifempty Referrer-Policy: same-origin
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options: nosniff
</IfModule>

4) Save your changes to the .htaccess file. HSTS is now enabled for your site.
5) Confirm that your site now has the strict-transport-security header using the following command:

read -p "Domain: " domain ; curl -s --head https://${domain}/ | egrep 'Strict-Transport-Security'

 
6)This will allow you to input the domain you would like to check; as an example, I will use 'hsts.com':

[root@test ~]# read -p "Domain: " domain ; curl -s --head https://${domain}/ | egrep 'Strict-Transport-Security'
Domain: hsts.com
Strict-Transport-Security: max-age=300; includeSubDomains; preload

For OpenLiteSpeed

So, the above config will not work with the OpenLiteSpeed webserver.
OpenLiteSpeed doesn't support HSTS configuration through standard Apache .htaccess directives. As it only supports rewrite rules.

Custom config for OLS:

context / {
  allowBrowse             1
  extraHeaders            <<<END_extraHeaders
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy "upgrade-insecure-requests;connect-src *"
Referrer-Policy strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection 1;mode=block
Permissions-Policy: geolocation=(self "")
  END_extraHeaders


  rewrite  {

  }
  addDefaultCharset       off

  phpIniOverride  {

  }
}
Note
Once you add the above config, you must restart OpenLiteSpeed to apply the changes.

If you want to enable the HSTS on particular domain add the custom config here. 
https://webuzo.com/docs/developers/custom-virtualhost-config/#openlitespeed-configuration

Without HSTS config output:

With HSTS enabled on a domain you will see output like this:

If you want to enable HSTS server wide you will need to add the config in custom header option in Webuzo Admin Panel > Apps >  OpenLiteSpeed Additional Settings wizard.
Webuzo has a custom header setting in the Openlitespeed configuration wizard. Once custom headers like HSTS are added, the header will be applied to all domains.

    Was this page helpful?
    Yes No
    Open Modal Box
    Newsletter Subscription
    Subscribing you to the mailing list