Web server security settings

jasonwch · November 3, 2025, 1:56am

Hi, I am using HestiaCP default setup with Nginx proxy+Apache web server. For header security settings. should I add on both NGINX and Apache? will it make any benefit or will be excessively double loaded?

Thanks

NGINX
add_header Content-Security-Policy upgrade-insecure-requests;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Content-Type-Options “nosniff”;
add_header Expect-CT ‘enforce; max-age=7776000’;
add_header X-Frame-Options “SAMEORIGIN”;

APACHE
Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
Header always set Content-Security-Policy “upgrade-insecure-requests”

sahsanu · November 3, 2025, 2:35am

Hi,

Only in one of them.

Also, keep in mind that for HSTS (Strict-Transport-Security) you can add it to your web domain directly from Hestia.

jasonwch · November 3, 2025, 2:38am

got it, thanks.

I’ve reading through the forum, saying NOT to modify these file directly.

/etc/apache2/apache2.conf

/etc/nginx/nginx.conf

May I know where should I put to custom config file to play safe if I want it to be site specific (prevent overwriting when upgraded)

I am trying to add some Apache custom setting but restart Apache failed

Add a new file to

/home/USERNAME/conf/web/DOMAIN/apache2.ssl.conf_customsec

Then add these 2 lines inside

ServerTokens Prod
ServerSignature Off

But then cannot restart Apache server. However, if I add these 2 lins directly to apache2.ssl.conf, it’s working

sahsanu · November 3, 2025, 2:55am

You can create specific web templates for your sites or you can also add conf files nginx.conf_whatever and nginx.ssl.conf_whatever and add there your directives to add the needed headers.

Those files must be created in /home/YourUser/conf/web/YourDomain/. Hestia web templates include these directives that will load those files.

In nginx.conf:

[...]
include /home/YourUser/conf/web/YourDomain/nginx.conf_*;
[...]

In nginx.ssl.conf:

[...]
include /home/YourUser/conf/web/YourDomain/nginx.ssl.conf_*;
[...]

Those files won’t be modified in upgrades or rebuilding your site. The same if you prefer to create your own web template.

jasonwch · November 3, 2025, 2:58am

Thanks, I’ve tried this on apache config but failed to restart Apache2 service

Add a new file to

/home/USERNAME/conf/web/DOMAIN/apache2.ssl.conf_customsec

Then add these 2 lines inside

ServerTokens Prod

ServerSignature Off

sahsanu · November 3, 2025, 3:03am

Those directives are global, so you can’t add them inside a VirtualHost. Also, there’s no need to include them, nobody will connect directly to Apache. Clients will only see Nginx, and Nginx already provides this “protection”.

❯ grep server_tokens /etc/nginx/nginx.conf
        server_tokens                   off;

jasonwch · November 3, 2025, 4:05am

cool cool….thanks so much

Coz when I am doing phpinfo, I can still see the Apache version. (not sure if this is related to I’ve removed all proxy extension because my web app have issue with thus)

I will focus on adjusting other things primarily on Nginx now. Thanns

sahsanu · November 3, 2025, 4:20am

Because php is runing on Apache.

jasonwch · November 3, 2025, 7:33am

@sahsanu

I’ve got this setup and seems can balance security and accessibility. Please comment.

Create new template which applies to my web domains

/usr/local/hestia/data/templates/web/apache2/php-fpm/default_secured.stpl

/usr/local/hestia/data/templates/web/apache2/php-fpm/default_secured.tpl

Add following lines

ServerTokens Prod
ServerSignature Off

/usr/local/hestia/data/templates/web/nginx/default_secured.stpl

/usr/local/hestia/data/templates/web/nginx/default_secured.tpl

add following lines

	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header Content-Security-Policy "upgrade-insecure-requests;";
	add_header X-Content-Type-Options "nosniff";
	add_header Referrer-Policy "strict-origin-when-cross-origin";

And then I’ve tried to run security scan from several website. Most are fine, but cyberchief.ai gives me some other security advise on Cross-Origin-XXXX

Then I try to search through google, but I think I am too limited in my knowledge to understand. May I seek for you advise whether needed to apply those Cross-Origin-XXXX header as well?

Thanks so much

ducky · November 14, 2025, 8:58am

Hello,

Yes, but if you want to increase the default value of HSTS set by Hestia, you’ll have to either set hsts with v-add-web-domain-ssl-hsts than edit $HOMEDIR/$user/conf/web/$domain/$WEB_SYSTEM.hsts.conf
Or put it directly in a template as Jason did

Depending on what you’re doing one can be easier than the other

system · December 14, 2025, 8:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.