There’s a few reasons why you might want to add custom headers on your website, however the most common reason today is to add apache or nginx security headers. Many of these headers cannot be pre-applied globally as they would directly affect functionality of some sites that rely upon functionality which these headers would restrict, and so applying them on a per-site basis is the best and only way to add them.
Here’s a couple other reasons you might want to add custom headers:
- A web application guide has told you to change or add HTTP/HTTPS headers to your web server config
- You wish to add one of the following types of headers: Vary, CORS, Cache-Control, X-Frame-Options, etc
TIP: the Plesk support documents on adding CORS headers indicate to add these headers to fields you don’t see in Plesk, because only admins have access to edit “Additional directives” fields. The steps below will work around this issue.
Thankfully Plesk has a feature that make this easy! Here’s how to do it:
- Begin by logging in to Plesk
- Find your domain in the list and either click on it to edit its config, or bring your focus to the grid of button configuration options. If your options are tabbed, click on the “Hosting & DNS” tab
- Select the button called “Apache & nginx Settings”
- Under Common Apache settings you’ll find Additional headers. Select “Enter custom value” and enter your headers here. Note that even though the title of this section includes “Apache” most (if not all) items here will apply to nginx unless it’s disabled. An example of the format/syntax to use is provided below the text entry box.
- The format to use here is
- When done, scroll down and click OK.
Common security headers to use
The following is a great set of security headers to apply to your site, though it is strongly recommended to look up how to set a Content-Security-Policy as the correct value will be heavily dependent on your site’s content.
X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'self'; img-src 'self' https://secure.gravatar.com https://www.facebook.com https://i.ytimg.com
These headers prevent other sites from doing malicious things with your site. For example X-Frame-Options specifies that only sites/apps running on your own domain can put your site in a frame/iframe.