CPanel / LiteSpeed Security Headers: Referrer-Policy Fix - Youtube Error 153

من ويكي مسار

Standardising Security Headers on cPanel/LiteSpeed Servers

Purpose

This document explains a common issue found on cPanel servers running LiteSpeed where the global security headers are configured in a way that can break embedded YouTube videos and create incorrect HTTP response headers.

It also explains why we recommend using: 

Referrer-Policy: strict-origin-when-cross-origin

instead of: 

Referrer-Policy: no-referrer

as the default global setting for shared hosting servers.

Background

Some websites may show the following YouTube embed error: 

Error 153
Video player configuration error

This can happen when YouTube cannot receive a suitable referrer from the website where the video is embedded.

On one cPanel/LiteSpeed server, the following global Apache include configuration was found: 

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always set X-Frame-Options "sameorigin"
Header setifempty Referrer-Policy: same-origin
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options: nosniff
</IfModule>

This created two main problems.

Problem 1: Incorrect Header Syntax

The following lines are not correctly written: 

Header setifempty Referrer-Policy: same-origin
Header set X-Content-Type-Options: nosniff

The colon after the header name is wrong in this context.

As a result, the browser may receive an invalid or unexpected response header such as: 

Setifempty: Referrer-Policy: same-origin

This is not a valid security header and should not be present in the response.

The correct syntax should use the header name without a colon, and the value should be placed inside quotes, for example: 

Header always set X-Content-Type-Options "nosniff"

Problem 2: Referrer-Policy no-referrer Can Break Embeds

The following header is very strict: 

Referrer-Policy: no-referrer

It prevents the browser from sending any referrer information to external services.

This is good for privacy, but it can cause compatibility issues with some third-party services, including embedded video players, payment gateways, SSO systems, analytics tools, and other integrations.

For YouTube embeds, this can contribute to: 

Error 153 - Video player configuration error

Recommended Referrer Policy

For shared hosting servers, the recommended global default is: 

Referrer-Policy: strict-origin-when-cross-origin

This is a balanced option.

It works as follows:

  • For same-origin requests, the full referrer URL may be sent.
  • For HTTPS cross-origin requests, only the origin is sent, for example:
https://example.com
  • The full page path is not sent to external websites.
  • Referrer information is not sent when moving from HTTPS to HTTP.

This gives a good balance between privacy, security, and compatibility.

For example, instead of sending this full URL to YouTube: 

https://example.com/private/page?id=123

the browser only sends: 

https://example.com

This is usually enough for third-party services that need to know the website origin, without exposing the full page path.

Recommended Global Header Block

For cPanel/LiteSpeed shared hosting servers, this is a recommended balanced configuration: 

<IfModule LiteSpeed>
    CacheRoot /home/lscache/
</IfModule>

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000"
    Header always edit Set-Cookie "(.*)" "$1; HttpOnly; Secure"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Content-Type-Options "nosniff"
</IfModule>

Important Note About HSTS

The following HSTS value is strong: 

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

However, it should not normally be applied globally on a shared hosting server unless all domains and all subdomains are guaranteed to have valid HTTPS.

The options: 

includeSubDomains
preload

can cause problems if any subdomain does not support HTTPS correctly.

For a safer shared hosting default, use: 

Strict-Transport-Security: max-age=31536000

Use includeSubDomains and preload only for specific domains where this is fully verified.

How To Apply This From WHM

Follow these steps:

  1. Log in to WHM as root.
  2. Go to: 
    Service Configuration → Apache Configuration → Include Editor
  3. Open: 
    Pre Main Include
  4. Select: 
    All Versions
    or:
    Apache 2.4
  5. Remove any old or incorrect lines such as: 
    Header setifempty Referrer-Policy: same-origin
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options: nosniff
  6. Add the recommended block: 
    <IfModule LiteSpeed>
    CacheRoot /home/lscache/
</IfModule>

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000"
    Header always edit Set-Cookie "(.*)" "$1; HttpOnly; Secure"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Content-Type-Options "nosniff"
</IfModule>
  7. Save the changes.
  8. Rebuild and restart Apache when WHM asks.
  9. Restart LiteSpeed from: 
    WHM → Plugins → LiteSpeed Web Server → Restart LiteSpeed

How To Apply This From SSH

If needed, the active file can usually be checked with: 

grep -RniE "Referrer-Policy|SetIfEmpty|setifempty|no-referrer|same-origin|Strict-Transport-Security|X-Content-Type-Options" \
/etc/apache2 /usr/local/apache/conf /etc/httpd /usr/local/lsws/conf /var/cpanel/templates \
--exclude="*.log" --exclude="*.log.*" 2>/dev/null

Common files are: 

/etc/apache2/conf.d/includes/pre_main_global.conf
/usr/local/apache/conf/includes/pre_main_global.conf

After editing, run: 

apachectl configtest
/usr/local/cpanel/scripts/rebuildhttpdconf
/usr/local/cpanel/scripts/restartsrv_httpd
systemctl restart lsws

Only continue with the restart if: 

Syntax OK

is returned by apachectl configtest.

How To Test

Use curl to check the response headers: 

curl -k -sI 'https://example.com/?v=header-test' | grep -iE 'referrer|setifempty|strict-transport|x-content-type|x-frame|server'

Expected good result: 

server: LiteSpeed
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff

The following should not appear: 

referrer-policy: no-referrer
setifempty: Referrer-Policy: same-origin

Browser Testing

In Chrome:

  1. Open the website.
  2. Open Developer Tools.
  3. Go to the Network tab.
  4. Reload the page.
  5. Click the page request.
  6. Check Response Headers.

The response should include: 

Referrer-Policy: strict-origin-when-cross-origin

It should not include: 

Referrer-Policy: no-referrer
Setifempty: Referrer-Policy: same-origin

If the page shows: 

304 Not Modified

use a new query string to bypass cache, for example: 

https://example.com/?v=header-test-2

YouTube Embed Test

A simple test page can use this iframe format: 

<iframe
    width="800"
    height="450"
    src="https://www.youtube.com/embed/VIDEO_ID"
    title="YouTube video player"
    referrerpolicy="strict-origin-when-cross-origin"
    allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"
    allowfullscreen>
</iframe>

Replace VIDEO_ID with the real YouTube video ID.

Do not test using a local file opened as: 

file:///path/to/test.html

A local file is not a real website origin and may not send the expected referrer. Use a real domain or a local web server instead.

Example local test: 

cd ~/Downloads
python3 -m http.server 8080

Then open: 

http://localhost:8080/test.html

Final Recommendation

For MassarCloud shared hosting servers, apply this correction as a standard baseline: 

Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000

Avoid using Referrer-Policy: no-referrer as a global default because it may break third-party integrations.

Avoid using includeSubDomains; preload globally unless all domains and subdomains are verified to support HTTPS correctly.

Summary

The recommended change improves compatibility while keeping strong security headers.

The most important fixes are:

  • Remove invalid header syntax.
  • Remove Referrer-Policy: no-referrer as a global default.
  • Use Referrer-Policy: strict-origin-when-cross-origin.
  • Keep X-Content-Type-Options: nosniff.
  • Keep X-Frame-Options: SAMEORIGIN.
  • Use HSTS carefully on shared hosting servers.
مجلوبة من «https://wiki.massarcloud.sa/index.php?title=CPanel_/_LiteSpeed_Security_Headers:_Referrer-Policy_Fix_-_Youtube_Error_153&oldid=1623»