How to add http headers using Plesk

There’s a few reasons why you might want to add custom headers on your website, however the most common reason today is to add apache or nginx security headers. Many of these headers cannot be pre-applied globally as they would directly affect functionality of some sites that rely upon functionality which these headers would restrict, and so applying them on a per-site basis is the best and only way to add them.

Here’s a couple other reasons you might want to add custom headers:

  • A web application guide has told you to change or add HTTP/HTTPS headers to your web server config
  • You wish to add one of the following types of headers: Vary, CORS, Cache-Control, X-Frame-Options, etc

TIP: the Plesk support documents on adding CORS headers indicate to add these headers to fields you don’t see in Plesk, because only admins have access to edit “Additional directives” fields. The steps below will work around this issue.

Thankfully Plesk has a feature that make this easy! Here’s how to do it:

  1. Begin by logging in to Plesk
  2. Find your domain in the list and either click on it to edit its config, or bring your focus to the grid of button configuration options. If your options are tabbed, click on the “Hosting & DNS” tab
  3. Select the button called “Apache & nginx Settings”
  4. Under Common Apache settings you’ll find Additional headers. Select “Enter custom value” and enter your headers here. Note that even though the title of this section includes “Apache” most (if not all) items here will apply to nginx unless it’s disabled. An example of the format/syntax to use is provided below the text entry box.
  5. The format to use here is Header: Value
  6. When done, scroll down and click OK.

Common security headers to use

The following is a great set of security headers to apply to your site, though it is strongly recommended to look up how to set a Content-Security-Policy as the correct value will be heavily dependent on your site’s content.

X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'; img-src 'self' https://secure.gravatar.com https://www.facebook.com https://i.ytimg.com

These headers prevent other sites from doing malicious things with your site. For example X-Frame-Options specifies that only sites/apps running on your own domain can put your site in a frame/iframe.

Warning: You may not wish to use Content-Security-Policy if you’re using WordPress and you regularly add new functionality. The goal of this header is to ensure that only those sources specified in the list are allowed to provide files for your website. If you set this header and then add functionality to the site that relies on a resource (image, javascript, stylesheet) not included in that list, the functionality will likely fail to work until you add it. That said, you can use our guide to using your browser web inspector and its console tab to help diagnose such issues and update your CSP header since errors pertaining to this will be reported there.

About Jordan Schelew

Jordan has been working with computers, security, and network systems since the 90s and is a managing partner at Websavers Inc. As a founder of the company, he's been in the web tech space for over 15 years.

Leave a Comment