Currently the only way to edit the http headers for a dedicated servers to make them more secure is to make the server unmanaged so that the changes don’t get overwritten by Dreamhosts managed processes. May I suggest allowing the users to mange the http headers in the web console so that they do not have to turn off managed services as a feature request? Security should be a number 1 priority … especially these days. Requiring users to unmanage Apache in order to secure the HTTP headers seems counter productive to me. I mean the whole point of having those services managed is to keep up on updates for security. So, requiring the users to make one part of the server less secure so that the other can become more secure is not a very good practice. I would suggest adding a section in the web panel for customers to edit the http headers, because by default they are not very secure.
Just to clarify for instance I would like to turn on HSTS (Hypertext Strict Transport Security), disable iframing, and enable Content Security Policy. The below site gives some good information about securing HTTP headers and how they can help guard against things like cross site scripting and click jacking.
Hi dstuder, thanks for the suggestions. I’m not an expert in the field but I believe that most (if not all) of the things you’re suggesting can be done customizing .htaccess. Examples on how to do this are on https://htaccessbook.com/increase-security-x-security-headers/
Let us know if these don’t work for you.