Security headers are essential for protecting your websites from common web vulnerabilities by controlling how browsers behave. This guide will walk you through the correct way to add custom security headers in xCloud, covering both OpenLiteSpeed (OLS) and NGINX web servers.
In xCloud, directly editing the main server configuration files (like vhconf.conf) is not recommended, as these files are managed by the control panel and can be overwritten automatically when changes are made via the UI.
Add Custom Security Headers on OLS Servers in xCloud #
Step 1: SSH Into Your Server #
Before making any changes, you must SSH into your OLS server:
Step 2: Use the vhconf.server.conf Config File #
Use the following file to define your custom HTTP security headers:
/usr/local/lsws/conf/vhosts/tstr.io/vhconf.server.confThis file is not overwritten by the xCloud panel and is ideal for persisting manual changes such as custom headers.
Step 3: Add Security Headers #
To add custom security headers, update vhconf.server.conf with the following block:
context / {
extraHeaders <<<END_extraHeaders
set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
set Referrer-Policy "strict-origin-when-cross-origin";
set Content-Security-Policy "upgrade-insecure-requests";
set Permissions-Policy "accelerometer=(), autoplay=(self https://www.youtube.com https://www.google.com https://www.facebook.com https://www.instagram.com https://platform.twitter.com https://player.vimeo.com https://www.linkedin.com https://js.hsforms.net), camera=self, cross-origin-isolated=(), display-capture=self, encrypted-media=(self https://www.youtube.com https://www.facebook.com https://www.instagram.com https://player.vimeo.com), fullscreen=(self https://www.youtube.com https://www.vimeo.com https://player.vimeo.com https://www.instagram.com https://www.facebook.com https://platform.twitter.com https://www.linkedin.com), geolocation=(self https://www.google.com), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=self, midi=(), payment=(self https://connect.stripe.com https://checkout.paypal.com https://js.squareup.com), picture-in-picture=(self https://www.youtube.com https://www.vimeo.com https://player.vimeo.com https://www.instagram.com https://www.facebook.com), publickey-credentials-get=self, screen-wake-lock=(), usb=(), web-share=(self https://www.youtube.com https://www.facebook.com https://www.instagram.com https://platform.twitter.com https://www.linkedin.com), xr-spatial-tracking=(), clipboard-write=self, clipboard-read=self, interest-cohort=()";
END_extraHeaders
}Step 4: Apply the Configuration #
After updating the configuration, restart LiteSpeed to apply the changes:
systemctl restart lsws && killall -9 lsphp
Add Custom Security Headers on NGINX Servers in xCloud #
For NGINX-based xCloud servers, you can add custom security headers right from the xCloud Dashboard.ย
Read this documentation for more information about custom NGINX:
๐How To Configure Custom NGINX In xCloud?
๐ Notes
- Do not edit vhconf.conf directly โ it’s automatically regenerated by the xCloud panel.
- Use vhconf.server.conf on OLS servers to retain customizations.
- Always restart LiteSpeed or NGINX after making changes for them to take effect.
And thatโs it this is how easily you can add custom security headers in xCloud for OLS and NGINX servers. Adding custom security headers is a crucial step in hardening your website against common threats such as cross-site scripting, clickjacking, and data injection attacks.I’s important to apply these headers in a way that aligns with the platformโs configuration management to avoid losing changes during updates.
Still stuck? Contact our support team for any of your queries.
