This is an old revision of the document!
LiteSpeed Alternative to Apache Header Edit
LiteSpeed doesn't support Apache's header edit
directive, and so the following Apache directive won't work on LiteSpeed:
Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none"
Let's look at the elements of the directive, and how to accomplish each with LSWS.
Secure
The above example, which involves patching Set-Cookie with a secure
flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that.
HTTPOnly
For HTTPOnly
settings, you should be able to use php.ini
. For example:
session.cookie_httponly=On
ForceSecureCookie
As of LSWS v 5.4.9 build 2, a new directive ForceSecureCookie
has been introduced to enforce secure
and SameSite
cookie attributes. It can be set in the Apache config file at the server or virtual-host level, or in the .htaccess
of the document root directory.
ForceSecureCookie
can use the following values:
off
,on
|secure
,httponly
,lax
|same_site_lax
,strict
|same_site_strict
,same_site_none
The same_site_xxxx
values can be combined with secure
.
Examples
To enforce the secure
attribute only:
ForceSecureCookie secure
To enforce “secure; SameSite=none;”:
ForceSecureCookie secure same_site_none
To enforce “SameSite=strict” only:
ForceSecureCookie strict
or
ForceSecureCookie same_site_strict
NOTE: When using the above directives, please make sure to enclose them with
<IfModule LiteSpeed> ... </IfModule>