Configure HTTP-Security-Header in Plesk

Plesk offers the option of adding additional HTTP headers to all HTTP responses. This option should only be used if the web application used can still provide these independently.

Configuration

Log in to the Plesk Control Panel via our Customer Center at account.creoline.com. Then navigate to the website for which you want to provide additional HTTP headers and click on Apache & NGINX in the Hosting tab. In the last section under "Additional nginx instructions", add the desired headers according to the following scheme:

add_header <name of the header> <value>;

Important HTTP headers

Below we summarize some important HTTP security headers:

Strict-Transport-Security (HSTS)

This header enforces the use of HTTPS by informing the browser that the website may only be accessed via a secure connection. This prevents a user from inadvertently communicating via an insecure HTTP connection.

Example:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Referrer-Policy

This header determines what information is sent to the target page in the Referer header when a user navigates from one page to another. This makes it possible to control the disclosure of sensitive information about the origin of requests.

Example:

Referrer policy: no-referrer

Content-Security-Policy

This header protects against cross-site scripting (XSS) and other code injection attacks by specifying which resources (e.g. scripts, styles) may be loaded from a website. A restrictive configuration can be used to block harmful content.

Example:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com

Permissions-Policy

With this header, a website can specify which APIs and functions (e.g. camera, microphone, geolocation) may be used by the browser. In this way, access to potentially abusable interfaces can be restricted.

Example:

Permissions policy: geolocation=(), microphone=()

X-Frame-Options

This header prevents clickjacking attacks by controlling whether a web page may be embedded within an `>. This can prevent malicious pages from overlaying content from another website.</p> <p><br></p> <p>Example:</p> <pre><code class="language-bash">X-Frame-Options: DENY</code></pre> <p><br></p> <h3 id="x-content-type-options">X-Content-Type-Options</h3> <p>This header can be used to instruct the browser to interpret the <code>Content-Type</code> of a file strictly according to the server specification. This prevents MIME sniffing, which can lead to security vulnerabilities in some cases.</p> <p><br></p> <p>Example:</p> <pre><code class="language-bash">X-Content-Type-Options: nosniff</code></pre> <p><br></p> <hr /> <h2 id="example-configuration-wordpress">Example configuration "WordPress"</h2> <p><br></p> <pre><code class="language-bash"># Referrer-Policy: Controls which referrer information is sent add_header Referrer-Policy "no-referrer-when-downgrade"; # Content-Security-Policy: Restricts the loading of external resources add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; frame-ancestors 'none';"; # Permissions-Policy: Restricts access to certain APIs add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), interest-cohort=()"; # X-Frame-Options: Prevents clickjacking add_header X-Frame-Options "SAMEORIGIN"; # X-Content-Type-Options: Prevents MIME sniffing add_header X-Content-Type-Options "nosniff";</code></pre> <p><br></p> <div class="alert alert-warning"><p>Please note that adjustments to the sample configuration may be necessary for your WordPress website.</p></div> </div> <div class="documents--list"> </div> <div class="document--similar-articles"> <div class="title me-3">Similar articles</div> <div class="documents--list mt-3"> <ul class="nav flex-column mb-2"> <li class="nav-item"> <a class="nav-link" href="/en/doc/permissions-for-files-and-folders-ee2AIfg3WF"> <span class="title">Permissions for files and folders</span> </a> </li> <li class="nav-item"> <a class="nav-link" href="/en/doc/install-nodejs-and-npm-R659PKt3Ft"> <span class="title">Install Node.js and npm</span> </a> </li> <li class="nav-item"> <a class="nav-link" href="/en/doc/nginx-w8JnqJ6r9j"> <span class="title">NGINX</span> </a> </li> <li class="nav-item"> <a class="nav-link" href="/en/doc/apache2-Ck1dB28UXY"> <span class="title">Apache2</span> </a> </li> <li class="nav-item"> <a class="nav-link" href="/en/doc/litespeed-P8G02C3igg"> <span class="title">LiteSpeed</span> </a> </li> </ul> </div> </div> <div class="document--feedback"> <div class="d-flex align-items-center"> <div class="title me-3">Was this page helpful?</div> <div class="mx-2"> <form action="https://help.creoline.com/en/doc/c1ecf937-8d73-47d4-845d-93da667a7da0/feedback" class="form--document-vote" method="post"> <input type="hidden" name="vote" value="up"> <button type="submit" class="btn btn-light"> <i class="fal fa-thumbs-up me-1"></i> Yes </button> </form> </div> <div class="mx-2"> <form action="https://help.creoline.com/en/doc/c1ecf937-8d73-47d4-845d-93da667a7da0/feedback" class="form--document-vote" method="post"> <input type="hidden" name="vote" value="down"> <button type="submit" class="btn btn-light"> <i class="fal fa-thumbs-down me-1"></i> No </button> </form> </div> </div> </div> </div> <div class="d-none d-lg-block col-4"> <div class="document--toc sticky-top"> <div class="toc--list"> <div class="list--headline"> On this page </div> <ul> <li><a href="#configure-http-security-header-in-plesk">Configure HTTP-Security-Header in Plesk</a> <ul> <li><a href="#configuration">Configuration</a></li> <li><a href="#important-http-headers">Important HTTP headers</a> <ul> <li><a href="#strict-transport-security-hsts">Strict-Transport-Security (HSTS)</a></li> <li><a href="#referrer-policy">Referrer-Policy</a></li> <li><a href="#content-security-policy">Content-Security-Policy</a></li> <li><a href="#permissions-policy">Permissions-Policy</a></li> <li><a href="#x-frame-options">X-Frame-Options</a></li> <li><a href="#x-content-type-options">X-Content-Type-Options</a></li> </ul></li> <li><a href="#example-configuration-wordpress">Example configuration "WordPress"</a></li> </ul></li> </ul> </div> </div> </div> </div> <script> window.addEventListener('DOMContentLoaded', () => { const observer = new IntersectionObserver(entries => { entries.forEach(entry => { const id = entry.target.getAttribute('id'); if (entry.intersectionRatio > 0) { document.querySelector(`li a[href="#${id}"]`).parentElement.classList.add('active'); } else { document.querySelector(`li a[href="#${id}"]`).parentElement.classList.remove('active'); } }); }); // Track all sections that have an `id` applied document.querySelectorAll('h2[id], h3[id]').forEach((section) => { observer.observe(section); }); }); </script> </div> <div class="container"> <div class="content-footer"> <div class="row"> <div class="col-12 col-lg-4"> <ul class="list--icons"> <li> <i class="fas fa-question-circle mx-2"></i> Questions? <a href="https://help.creoline.com/doc/kontakt-aufnehmen-ogxzz4bVuZ">Contact us</a>. </li> <li> <i class="fas fa-user mx-2"></i> Already a customer? <a href="https://account.creoline.com/support/tickets/">Create support ticket</a>. </li> </ul> </div> <div class="col-12 col-lg-5 mt-3 mt-lg-0"> <div> <b>Emergency?</b> </div> <div class="mt-1"> In urgent cases, our emergency hotline is available around the clock at <a href="tel:+4925079008034">+49 2507 900 80 - 34</a>. </div> </div> <div class="col-12 col-lg-3 mt-3 mt-lg-0 text-center text-lg-end"> <ul class="list--icons"> <li> <a href="https://www.creoline.com/legal/privacy/" class="text-muted" target="_blank" rel="noopener"> Data Protection </a>  ·  <a href="https://www.creoline.com/legal/imprint/" class="text-muted" target="_blank" rel="noopener"> Imprint </a> </li> <li> © 2025 creoline GmbH </li> </ul> </div> </div> </div> </div> </div> </div> </div> </div> <div data-creoline-id="token" data-url="https://api.creoline.com/v1/session/token"></div> <script src="/assets/help/dist/script.js?v=20240619"></script> <script> window.intercomSettings = { api_base: "https://api-iam.eu.intercom.io", app_id: "o08uq8et", language_override: 'en', vertical_padding: 20, source: ' (Visitor)', }; </script> <script> var w = window; var ic = w.Intercom; if (typeof ic === "function") { ic('reattach_activator'); ic('update', w.intercomSettings); } else { } var d = document; var i = function() { i.c(arguments); }; i.q = []; i.c = function(args) { i.q.push(args); }; w.Intercom = i; var l = function() { var s = d.createElement('script'); s.type = 'text/javascript'; s.async = true; s.src = 'https://widget.intercom.io/widget/o08uq8et'; var x = d.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x); }; l(); // (function(){var w=window;var ic=w.Intercom;if(typeof ic==="function"){ic('reattach_activator');ic('update',w.intercomSettings);}else{var d=document;var i=function(){i.c(arguments);};i.q=[];i.c=function(args){i.q.push(args);};w.Intercom=i;var l=function(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='https://widget.intercom.io/widget/o08uq8et';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);};if(document.readyState==='complete'){l();}else if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}}})(); </script> <style> #modal-search { padding-top: 6vh; @media (min-width: 992px) { padding-top: 15vh; } } </style> <div class="modal fade" id="modal-search" tabindex="-1" aria-hidden="true"> <div class="modal-dialog modal-lg"> <div class="modal-content"> <div class="modal-body p-0"> <div class="search-input p-2"> <div class="input-group"> <input type="search" class="form-control form-control-lg border-0" data-url="https://help.creoline.com/en/search" placeholder="Search Help Center..." style="box-shadow: none" autofocus> <div class="input-group-text bg-white border-0"> <i class="fal fa-search"></i> </div> </div> </div> <div class="search-results border-top" style="display: none;"> <div class="search-results-scrollable p-2" style="max-height: 500px; overflow-y: auto; scroll-behavior: smooth; scroll-padding:50px;"> </div> <div class="d-none d-lg-block bg-light px-3 py-2 text-muted text-small" style="border-bottom-left-radius: 5px; border-bottom-right-radius: 5px; box-shadow: 0 -1px 2px rgba(0,0,0,.05)"> <span class="fw-semibold">Pro-Hint:</span> You can open the search with the shortcut <span class="badge badge-sm bg-secondary text-small">/</span>. </div> </div> </div> </div> </div> </div> </body> </html>