Web security is a key factor in protecting users and preventing attacks like code injections, data theft, or unauthorized access. An effective way to strengthen your site's security is by setting up security headers on the server.
In this article, we'll explain what HTTP security headers are, why they're important, and how to configure them on your website.
In a shared hosting environment, where we don't have access to the server's core configuration, HTTP security headers can be set up using the .htaccess file or with WordPress plugins.
These headers help protect your site from attacks such as:
πΉ Cross-Site Scripting (XSS)
πΉ Clickjacking
πΉ Malicious code injections
πΉ Man-in-the-Middle (MITM) attacks
In this guide, we'll explain how to set them up on a LiteSpeed server with cPanel, what options you have, and how to verify that they are working correctly.
1οΈβ£ What Are HTTP Security Headers and Why Are They Important?
HTTP security headers are directives sent from the server to the user's browser, telling the web page how to behave in terms of security.
β Benefits of setting them up correctly:
βοΈ They prevent third parties from injecting malicious code. βοΈ They protect against brute-force and MITM attacks. βοΈ They improve the overall security of your website.
β οΈ Before You Start: Make a Backup
Modifying the .htaccess file or setting up HTTP headers in WordPress is a delicate task. A configuration error could:
β Block external scripts
β Disable payment gateways
β Prevent images and styles from loading
β Break key site functionalities
π Before making any changes, create a backup of your site and your .htaccess file.
Read the following guide along with this one for more details: Risks of Security Header Configuration | Sered S.L
2οΈβ£ Methods for Setting Up Headers on Shared Hosting with LiteSpeed
Since we don't have direct access to the server configuration on shared hosting with cPanel and LiteSpeed, we can implement security headers in two ways:
Using the .htaccess file (Recommended for any website, including WordPress).
Using a WordPress plugin (For those who prefer a solution without manually modifying files).
3οΈβ£ Setting Up Security Headers in .htaccess
The .htaccess file is a powerful tool that allows you to modify server behavior without access to the global configuration.
π Locating the .htaccess file in cPanel: 1οΈβ£ Log in to cPanel. 2οΈβ£ Go to File Manager > public_html (or your website's folder). 3οΈβ£ Find the .htaccess file (If you don't see it, make sure to enable "Show Hidden Files"). 4οΈβ£ Edit it with a text editor and add the following lines depending on the headers you want to activate.
π Header 1: Strict-Transport-Security (HSTS) Prevents users from accessing your site via HTTP, forcing HTTPS on all connections.
πΉ Important: This only works if you already have an active SSL certificate on your site. πΉ Code for .htaccess: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" πΉ Explanation:
max-age=31536000: Maintains the policy for 1 year (in seconds).
includeSubDomains: Applies the policy to all subdomains.
preload: Allows the domain to be included in the HSTS preload list in browsers.
π Header 2: X-Frame-Options Prevents Clickjacking attacks by stopping your site from being loaded in a malicious iframe.
πΉ Code for .htaccess: Header always set X-Frame-Options "SAMEORIGIN" πΉ Options:
"DENY" β Blocks loading in any iframe.
"SAMEORIGIN" β Only allows loading if the iframe is on the same domain.
π Header 3: X-Content-Type-Options Prevents browsers from incorrectly detecting a file's type, which helps stop XSS attacks.
πΉ Code for .htaccess: Header always set X-Content-Type-Options "nosniff" πΉ Benefit: Prevents the execution of malicious files that are disguised as images or documents.
π Header 4: Content-Security-Policy (CSP) This header helps prevent attacks like Cross-Site Scripting (XSS) and malicious content injections.
Next, you can refer to the following guide to see how to configure it correctly: Content-Security-Policy (CSP) | Sered S.L
4οΈβ£ Setting Up Security Headers in WordPress with a Plugin
If you don't want to edit the .htaccess file manually, you can use a security plugin for WordPress.
β Recommended options:
Headers Security Advanced & HSTS WP
HTTP Headers (allows for configuring advanced headers)
iThemes Security (a comprehensive option with more features)
Implement these settings in WordPress and strengthen your website's security! ππ
5οΈβ£ How to Verify That the Headers Are Working
To check that the headers are active, use online tools such as:
β Security Headers
β Mozilla Observatory
β Chrome DevTools β "Network" tab > "Headers".
π Verify That Everything Works After applying the changes:
βοΈ Test the website and check if everything loads correctly. It's recommended to clear the WP cache. βοΈ Verify the headers with one of the tools above. βοΈ If something breaks, restore the backup and review your configuration.
π Conclusion
Setting up security headers on shared hosting with LiteSpeed and cPanel is possible using .htaccess or WordPress plugins.
The biggest risks come from overly restrictive settings in Content-Security-Policy, X-Frame-Options, and Referrer-Policy.
Configuring headers in .htaccess or with WordPress plugins can improve your site's security and performance. However, any error in the configuration can affect the site's functionality. Therefore, follow these recommendations:
πΉ Always make a backup before modifying .htaccess.
πΉ Verify the changes with tools like Security Headers.
πΉ If something breaks, deactivate the plugin or restore the .htaccess file.