Configuring HTTP Security Headers in Plesk

Plesk allows you to add additional HTTP headers to all HTTP responses. This option should only be used if the web application in use is still capable of providing these headers on its own.



Configuration

Log in to the Plesk Control Panel via our Customer Center at account.creoline.com. Then navigate to the website for which you want to add additional HTTP headers and click Apache & NGINX in the Hosting tab. In the last section, under “Additional nginx Instructions,” add the desired headers using the following format:


add_header <Header Name> <Value>;



Important HTTP Headers

Below, we summarize some important HTTP security headers:


Strict-Transport-Security (HSTS)

This header enforces the use of HTTPS by instructing the browser that the website may only be accessed via a secure connection. This prevents a user from accidentally communicating over an insecure HTTP connection.


Example:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload


Referrer-Policy

This header determines what information is sent to the destination page in the Referer header when a user navigates from one page to another. This allows you to control the disclosure of sensitive information about the origin of requests.


Example:

Referrer-Policy: no-referrer


Content-Security-Policy

This header protects against cross-site scripting (XSS) and other code injection attacks by specifying which resources (e.g., scripts, styles) are allowed to be loaded by a webpage. A restrictive configuration can block malicious content.


Example:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com


Permissions-Policy

This header allows a website to specify which APIs and features (e.g., camera, microphone, geolocation) may be used by the browser. This helps restrict access to interfaces that could potentially be misused.


Example:

Permissions-Policy: geolocation=(), microphone=()


X-Frame-Options

This header prevents clickjacking attacks by controlling whether a webpage may be embedded within a <iframe>. This prevents malicious sites from overlaying content from another website.


Example:

X-Frame-Options: DENY


X-Content-Type-Options

This header instructs the browser to interpret a file’s Content-Type strictly according to the server’s specification. This prevents so-called MIME sniffing, which can lead to security vulnerabilities in some cases.


Example:

X-Content-Type-Options: nosniff



Example “WordPress” Configuration


# Referrer-Policy: Controls which referrer information is sent
add_header Referrer-Policy "no-referrer-when-downgrade";

# Content-Security-Policy: Restricts the loading of external resources
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; frame-ancestors 'none';";

# Permissions-Policy: Restricts access to certain APIs
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), interest-cohort=()";

# X-Frame-Options: Prevents clickjacking
add_header X-Frame-Options "SAMEORIGIN";

# X-Content-Type-Options: Prevents MIME sniffing
add_header X-Content-Type-Options "nosniff";


Please note that you may need to adjust the sample configuration for your WordPress website.