{"id":17552,"date":"2026-06-18T16:00:00","date_gmt":"2026-06-18T22:00:00","guid":{"rendered":"https:\/\/www.supportpro.com\/blog\/?p=17552"},"modified":"2026-06-17T03:25:52","modified_gmt":"2026-06-17T09:25:52","slug":"server-security-best-practices-adding-custom-http-headers-in-runcloud","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/server-security-best-practices-adding-custom-http-headers-in-runcloud\/","title":{"rendered":"Server Security Best Practices: Adding Custom HTTP Headers in RunCloud"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">As cyber threats evolve, hosting providers and server administrators need to take proactive steps to secure their web applications. One straightforward but effective security measure is using custom HTTP headers. These headers help protect websites from common attacks, boost browser security, and improve application performance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For organizations managing several websites and hosting environments, custom HTTP headers are crucial for solid server security practices. RunCloud makes it easy to configure these headers on both Nginx and OpenLiteSpeed servers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Custom HTTP Headers Matter<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For hosting companies, using the right security headers across customer environments can lower risks while enhancing website trust and reliability. HTTP headers provide extra instructions between web servers and browsers. They can help:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prevent clickjacking attacks<\/li>\n\n\n\n<li>Reduce cross-site scripting (XSS) risks<\/li>\n\n\n\n<li>Enforce secure HTTPS connections<\/li>\n\n\n\n<li>Control browser behaviour<\/li>\n\n\n\n<li>Improve caching efficiency<\/li>\n\n\n\n<li>Support compliance with security standards<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Adding Custom HTTP Headers in RunCloud for Nginx Servers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 1: Access Your Web Application<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Log into your <a href=\"https:\/\/www.supportpro.com\/blog\/runcloud-security-explained-how-its-built-in-firewall-keeps-hackers-out-24-7\/\" title=\"\">RunCloud<\/a> dashboard and go to the <strong>\u2018Web Applications\u2019<\/strong> section.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Select the website or application where you want to set custom headers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 2: Open the Nginx Configuration<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Within the application settings, find and open the <strong>\u2018Nginx Config\u2019<\/strong> section.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This area allows you to create custom Nginx directives that enhance your application&#8217;s default settings.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 3: Create a Custom Header Configuration<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Click <strong>\u2018Add Config\u2019<\/strong> and give it a clear name, such as:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">`custom-security-headers`<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Add your desired security headers using the `add_header` directive.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;`nginx<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">add_header X-Frame-Options &#8220;DENY&#8221;;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">add_header X-XSS-Protection &#8220;1; mode=block&#8221;;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">add_header Strict-Transport-Security &#8220;max-age=31536000; includeSubDomains&#8221;;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;`<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These headers prevent clickjacking, reduce XSS risks, and enforce HTTPS.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 4: Validate the Configuration<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use the<strong> \u2018Run and Debug\u2019 <\/strong>option to check the configuration syntax.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Fix any errors before proceeding.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 5: Save and Apply Changes<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once you validate successfully, save the configuration.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RunCloud automatically reloads Nginx to apply the new settings.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 6: Verify Header Deployment<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Verification ensures the headers are delivered correctly to visitors. After implementation, verify the headers with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Browser Developer Tools (Network tab)<\/li>\n\n\n\n<li>Security Header testing tools<\/li>\n\n\n\n<li>Command-line tools such as cURL<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Adding Custom HTTP Headers in OpenLiteSpeed<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Organizations using OpenLiteSpeed can set custom headers through the LiteSpeed configuration settings.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 1: Select the Application<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Log in to RunCloud and open the desired web application.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 2: Access LiteSpeed Settings<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Go to the<strong> \u2018LiteSpeed Settings\u2019 <\/strong>section to edit server-specific settings.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 3: Configure Custom Headers<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Create a configuration context and add your custom header directives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;`plaintext<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">context \/ {<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;extraHeaders&nbsp; &nbsp; X-Content-Type-Options nosniff<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;`<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This header prevents browsers from incorrectly interpreting file types and reduces certain security risks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can add multiple headers using separate `extraHeaders` directives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 4: Save and Reload<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Save the configuration and allow OpenLiteSpeed to reload.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The new headers will take effect right away.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Step 5: Confirm the Changes<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use browser developer tools or online validation sites to verify successful deployment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommended Security Headers for Hosting Providers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Hosting companies should think about using the following headers whenever suitable:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1. <strong>Strict-Transport-Security (HSTS)<\/strong>: Forces browsers to use HTTPS connections.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.<strong> X-Frame-Options<\/strong>: Protects against clickjacking attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">3<strong>. X-Content-Type-Options<\/strong>: Prevents MIME type sniffing vulnerabilities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">4. <strong>Content-Security-Policy (CSP)<\/strong>: Limits which resources can load within a web page.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">5.<strong> Referrer-Policy<\/strong>: Controls how referral information is shared between websites.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">&nbsp;Best Practices for Managing HTTP Headers at Scale<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For hosting providers managing hundreds or thousands of websites, consistency is key. Consider these best practices:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize header policies across environments<\/li>\n\n\n\n<li>Regularly audit security configurations<\/li>\n\n\n\n<li>Monitor for configuration drift<\/li>\n\n\n\n<li>Test changes before deployment<\/li>\n\n\n\n<li>Review headers after major application updates<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Custom HTTP headers are a simple but powerful way to improve website security and performance. Whether you use Nginx or OpenLiteSpeed in RunCloud, configuring the right headers can help protect applications against common web threats and build user trust. For hosting companies and managed service providers, custom headers should be part of a wider server security strategy that includes monitoring, patch management, compliance reviews, and proactive infrastructure management.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Strengthen Your Hosting Infrastructure with SupportPRO<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From server hardening and security audits to 24\/7 infrastructure management and DevOps support, SupportPRO helps hosting companies maintain secure, high-performing environments.<a href=\"https:\/\/www.supportpro.com\/requestquote.php\" title=\"\"> Contact our team<\/a> today to learn how we can support your hosting operations.<\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right is-stacked-on-mobile is-vertically-aligned-center has-white-background-color has-background\"><div class=\"wp-block-media-text__content\">\n<p class=\"has-large-font-size wp-block-paragraph\">Facing issues? <\/p>\n\n\n\n<p class=\"has-large-font-size wp-block-paragraph\">Our technical support<br>engineers can solve it. <\/p>\n\n\n\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper\" id=\"hs-cta-wrapper-3350a795-db50-482f-9911-301930d1b1be\"><span class=\"hs-cta-node hs-cta-3350a795-db50-482f-9911-301930d1b1be\" id=\"hs-cta-3350a795-db50-482f-9911-301930d1b1be\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/2725694\/3350a795-db50-482f-9911-301930d1b1be\" ><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-3350a795-db50-482f-9911-301930d1b1be\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/2725694\/3350a795-db50-482f-9911-301930d1b1be.png\"  alt=\"Contact Us today!\"\/><\/a><\/span><script charset=\"utf-8\" src=\"https:\/\/js.hscta.net\/cta\/current.js\"><\/script><script type=\"text\/javascript\"> hbspt.cta.load(2725694, '3350a795-db50-482f-9911-301930d1b1be', {\"useNewLoader\":\"true\",\"region\":\"na1\"}); <\/script><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div><figure class=\"wp-block-media-text__media\"><img fetchpriority=\"high\" decoding=\"async\" width=\"904\" height=\"931\" src=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png\" alt=\"guy server checkup\" class=\"wp-image-12943 size-full\" srcset=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png 904w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-291x300.png 291w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-768x791.png 768w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-585x602.png 585w\" sizes=\"(max-width: 904px) 100vw, 904px\" \/><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"<p>As cyber threats evolve, hosting providers and server administrators need to take proactive steps to secure their web applications. One straightforward but effective security measure is using custom HTTP headers.&hellip;<\/p>\n","protected":false},"author":39,"featured_media":17554,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[370],"tags":[],"class_list":["post-17552","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-runcloud"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/17552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/comments?post=17552"}],"version-history":[{"count":1,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/17552\/revisions"}],"predecessor-version":[{"id":17553,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/17552\/revisions\/17553"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media\/17554"}],"wp:attachment":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media?parent=17552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/categories?post=17552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/tags?post=17552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}