HTTP headers control how browsers and clients interact with your site. Webinoly provides easy configuration for security headers and custom header management.
Webinoly includes several security headers configured by default. You can customize them to match your security requirements.
X-Content-Type-Options
Prevents MIME type sniffing:
# Enable (default: enabled)
sudo webinoly -header-xcto=true
# Disable
sudo webinoly -header-xcto=false
X-Content-Type-Options: nosniff
X-Frame-Options
Protects against clickjacking attacks:
# Same origin only (default)
sudo webinoly -header-xfo=SAMEORIGIN
# Deny all framing
sudo webinoly -header-xfo=DENY
# Allow specific URL
sudo webinoly -header-xfo=ALLOW-FROM -header-xfo-url=https://trusted.com
# Disable
sudo webinoly -header-xfo=off
DENY - No framing allowedSAMEORIGIN - Only same-origin framingALLOW-FROM - Specific URL (requires -header-xfo-url)off - Disable header
X-XSS-Protection
Cross-site scripting filter:
# Enable (legacy browser protection)
sudo webinoly -header-xssp=true
# Disable (modern browsers use CSP)
sudo webinoly -header-xssp=false
X-XSS-Protection: 1; mode=block
Modern browsers rely on Content Security Policy. This header is mainly for legacy browser support.
Referrer-Policy
Controls referrer information sent to other sites:
# Strict origin when cross-origin (default)
sudo webinoly -header-referrer=strict-origin-when-cross-origin
# No referrer sent
sudo webinoly -header-referrer=no-referrer
# Origin only
sudo webinoly -header-referrer=origin
# Disable
sudo webinoly -header-referrer=off
no-referrerno-referrer-when-downgradeoriginorigin-when-cross-originsame-originstrict-originstrict-origin-when-cross-originunsafe-urloff
Cache-Control
Controls browser and proxy caching:
# No cache (default)
sudo webinoly -header-cache-control=no-cache
# Allow caching
sudo webinoly -header-cache-control="public, max-age=31536000"
# Private cache only
sudo webinoly -header-cache-control="private, max-age=600"
# Disable
sudo webinoly -header-cache-control=off
Cache-Control affects HTML pages. Static assets use separate cache headers.
HTTP Strict Transport Security (HSTS)
Forces HTTPS connections:
# Enable with 1 year (default: 31536000 seconds)
sudo webinoly -header-hsts=31536000
# Enable with preload (2 years + preload list)
sudo webinoly -header-hsts=preload
# Custom duration (6 months)
sudo webinoly -header-hsts=15768000
# Disable
sudo webinoly -header-hsts=off
- Number: Max-age in seconds (max: 31536000 for 1 year)
preload: Enables HSTS preload (63072000 seconds / 2 years)default: Use default value (1 year)off: Disable HSTS
HSTS with preload is irreversible without browser update. Only use when you’re certain HTTPS will always be available.
Content Security Policy (CSP)
Define allowed content sources:
# Basic CSP
sudo webinoly -header-csp="default-src 'self'"
# Comprehensive CSP
sudo webinoly -header-csp="default-src 'self'; script-src 'self' 'unsafe-inline' cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'"
# Report-only mode (testing)
sudo webinoly -header-csp="default-src 'self'" -header-csp-report-only=on
# Disable report-only
sudo webinoly -header-csp-report-only=off
# Remove CSP
sudo webinoly -header-csp=""
Start with report-only mode to test CSP without breaking functionality:sudo webinoly -header-csp="default-src 'self'" -header-csp-report-only=on
Permissions Policy
Control browser features and APIs:
# Block FLoC (Google's tracking)
sudo webinoly -header-permissions=floc
# Custom permissions
sudo webinoly -header-permissions="geolocation=(), camera=(), microphone=()"
# Allow specific origins
sudo webinoly -header-permissions="geolocation=(self https://maps.example.com), camera=()"
# Remove header
sudo webinoly -header-permissions=""
geolocation=()camera=()microphone=()payment=()usb=()interest-cohort=() (blocks FLoC)
X-Robots-Tag
Control search engine indexing:
# No indexing
sudo webinoly -header-robots="noindex, nofollow"
# No archiving
sudo webinoly -header-robots="noarchive"
# Multiple directives (use pipe separator)
sudo webinoly -header-robots="noindex|noarchive"
# Remove header
sudo webinoly -header-robots=""
noindex - Don’t index pagesnofollow - Don’t follow linksnoarchive - Don’t cache pagesnosnippet - Don’t show snippetsnone - Equivalent to noindex,nofollow
Add your own custom headers beyond the predefined security headers.
- Create custom header files:
# HTTP headers (all requests)
sudo nano /opt/webinoly/templates/source/custom_header_http_webinoly.data
# HTTPS headers (SSL only)
sudo nano /opt/webinoly/templates/source/custom_header_https_webinoly.data
# HTML headers (HTML responses only)
sudo nano /opt/webinoly/templates/source/custom_header_html_webinoly.data
- Add headers in Nginx format:
add_header X-Custom-Header "Custom Value";
add_header X-Server-ID "server-01";
add_header X-API-Version "2.0";
- Reload custom headers:
sudo webinoly -custom-headers=reload
sudo webinoly -custom-headers=remove
custom_header_http_webinoly.data):
- Applied to all HTTP and HTTPS requests
- Suitable for: CORS, API headers, general security headers
HTTPS Headers (custom_header_https_webinoly.data):
- Applied only to HTTPS requests
- Suitable for: HSTS, strict security headers, SSL-specific headers
HTML Headers (custom_header_html_webinoly.data):
- Applied only to HTML responses (text/html)
- Suitable for: CSP, frame options, content-specific headers
Webinoly header configurations are stored in:
/etc/nginx/common/headers-http.conf - HTTP/HTTPS headers/etc/nginx/common/headers-https.conf - HTTPS-only headers/etc/nginx/common/headers-html.conf - HTML response headers/etc/nginx/common/headers.conf - Main header include file
Secure WordPress Site
# Prevent framing
sudo webinoly -header-xfo=SAMEORIGIN
# HSTS with preload
sudo webinoly -header-hsts=preload
# Content Security Policy
sudo webinoly -header-csp="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:"
# Block FLoC
sudo webinoly -header-permissions=floc
# CORS headers in custom file
sudo nano /opt/webinoly/templates/source/custom_header_http_webinoly.data
add_header Access-Control-Allow-Origin "https://app.example.com";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
add_header Access-Control-Max-Age "86400";
sudo webinoly -custom-headers=reload
Staging Environment
# Prevent search engine indexing
sudo webinoly -header-robots="noindex, nofollow"
# Add environment indicator
sudo nano /opt/webinoly/templates/source/custom_header_http_webinoly.data
add_header X-Environment "staging";
Static Asset Server
# Long cache times
sudo webinoly -header-cache-control="public, max-age=31536000, immutable"
# CORS for fonts
sudo nano /opt/webinoly/templates/source/custom_header_http_webinoly.data
add_header Access-Control-Allow-Origin "*";
# Check all headers
curl -I https://example.com
# Check specific header
curl -I https://example.com | grep X-Frame-Options
# Verbose output
curl -v https://example.com 2>&1 | grep "<"
Header Priority and Overrides
Header precedence in Nginx:
- Location-specific headers (most specific)
- Server block headers
- Common header files (Webinoly defaults)
- HTTP block headers (least specific)
To override Webinoly headers, define them in:
- Site-specific configuration:
/etc/nginx/sites-available/[domain]
- Custom header files (as shown above)
Troubleshooting
-
Check Nginx configuration:
-
Verify header files exist:
ls -la /etc/nginx/common/headers*.conf
-
Check if headers are included:
grep "include common/headers" /etc/nginx/sites-available/example.com
-
Reload Nginx:
sudo systemctl reload nginx
If multiple add_header directives exist:
- Last definition in same context wins
- Use
always parameter to ensure header is always added:
add_header X-Custom "value" always;
CSP Violations
Debug CSP issues:
- Use browser developer console (F12)
- Look for CSP violation reports
- Start with permissive policy, then restrict:
# Permissive (testing)
sudo webinoly -header-csp="default-src * 'unsafe-inline' 'unsafe-eval' data: blob:" -header-csp-report-only=on
# Then gradually restrict based on violations
Best Practices
- Start Strict: Enable all security headers, then relax if needed
- Test Changes: Use report-only mode for CSP before enforcing
- Monitor Impact: Check site functionality after header changes
- Document Custom Headers: Comment your custom header files
- Regular Audits: Periodically review header configuration
- Use HTTPS: Many security headers only work over HTTPS
- Combine Headers: Use multiple security headers for defense in depth