• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Location of "HTTP response headers"

Zoo3

Regular Pleskian
Server operating system version
CentOS 7.9
Plesk version and microupdate number
18.0.46
I have not set the following items, yet when I check the security verification site, it appears they are already set.
Are they specified by Plesk? Where are they located?

Code:
add_header Referrer-Policy "XXX" always;
add_header X-Content-Type-Options "XXX" always;
add_header X-Frame-Options "XXX" always;
add_header X-Permitted-Cross-Domain-Policies "XXX" always;
add_header X-Robots-Tag "XXX" always;
add_header X-XSS-Protection "XXX" always;
 
As far as I know, Plesk doesn't set such headers.
Perhaps they were installed by some WordPress plugin?
 
As far as I know, Plesk doesn't set such headers.
Perhaps they were installed by some WordPress plugin?
I don't think so, as I don't use WordPress.

I checked all the nginx ".conf" files in the server again.
I still could not find the description of the X header there.
- /etc/nginx/conf.d
- /etc/nginx/plesk.conf.d
- /var/www/vhosts/MYDOMAIN/system/DOMAIN & SUBDOMAIN

There is one thing that concerns me. That is when I check the response headers in the developer tools of Firefox or Chrome, those headers appear twice each.
When I delete those header descriptions, of course those headers disappear. And when I add headers, they double.

What could be the cause of this?
 
Can you reproduce this behaviour on a newly created site with a default homepage?
 
Can you reproduce this behaviour on a newly created site with a default homepage?
I made up my mind and stopped the site to verify. I was able to verify that the headers are not set when I go to pure/initial nginx configuration.

However, when written as nginx, which is guided by the software provider, it seems to call the headers from somewhere. (The X header items are then removed from there.) The headers are set in the browser, even though I certainly don't write them.
This behavior may have nothing to do with Plesk. But what is an nginx configuration that recognizes headers when I haven't written any headers to be added anywhere?
 
According to your other posts you may have been mislead by the Nextcloud guide. There is not really a need to do any specific configuration for Nextcloud in Plesk. If you want to run it "Nginx only", simply deactivate (uncheck) the "Proxy mode" setting in the Apache & Nginx directives and switch your PHP handler to FPM via Nginx. If you need any special server directives, you could add them in the "Additional directives" section at the bottom of the "Apache & Nginx" configuration page in Plesk. However, the additional headers I would also not add there, but in the additional header section on top of that page. All the fast_cgi settings and many of the other major server settings that the Nextcloud docs explain are meant for a barebone server, not for a Plesk environment where most of that is already done by default.
 
However, the additional headers I would also not add there, but in the additional header section on top of that page. All the fast_cgi settings and many of the other major server settings that the Nextcloud docs explain are meant for a barebone server, not for a Plesk environment where most of that is already done by default.
Does "the additional header" at the top refer to the sixth item from the top in the Apache Common Settings section? I had assumed that it was Apache-only there. So I did not fill anything out there.

For example, do I not need the following settings?
Code:
location ~ \.php(?:$|/) {
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;

    fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
    fastcgi_param front_controller_active true;     # Enable pretty urls
    fastcgi_pass php-handler;

    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;

    fastcgi_max_temp_file_size 0;
}
 
I added Refferer-Policy, X headers, etc. to the additional headers at the top and left the Nginx additional directive field blank.
However, the Referrer-Policy and X headers are still duplicated. If additional headers are also left blank, those headers are completely eliminated.
Is this an event originating from Plesk or software?
 
It's something that is happening due to the nature of the Nginx/Apache combination I guess. The additional headers are not needed for proper operation of Nextcloud.
 
Back
Top