Best TLS Settings in WHM

rivermobster

Well-Known Member
Dec 16, 2020
126
32
28
SoCal
cPanel Access Level
Root Administrator
Does this look like something I should actually do?



Paste these three lines in the editor, then click on Update:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header always set X-XSS-Protection "1; mode=block;"
Header always set X-Content-Type-Options "nosniff"



I have an A rating here now: SSL Server Test (Powered by Qualys SSL Labs)

Thanks in advance for the help!
 
Last edited by a moderator:

rbairwell

Well-Known Member
May 28, 2022
98
42
18
Mansfield, Nottingham, UK
cPanel Access Level
Root Administrator
Hi,

Most of those settings are those suggested by the Mozilla SSL Configuration Generator for an "Intermediate" security setting: however, I would only advise setting those header lines in the main Apache configuration (as that article suggests) if you are happy for those settings to be on every single website hosted on the server.

If not, I would personally put those lines in the .htaccess file for each site: giving the site owners control of what is emitted for their site.

For the record, I'm getting A+ ratings for mine with the following settings:
Apache Configuration->Global Configuration
SSL Cipher Suite: (default)
SSL/TLS Protocols: default
SSL Use stapling: On

and in the .htaccess files:

Code:
<IfModule mod_headers.c>
Header unset X-Pingback
Header set X-XSS-Protection "1;mode=block;report=https://reporting-system.example.com/r/d/csp/enforce"
Header set Permissions-Policy "interest-cohort=()"
Header set X-Frame-Options "DENY"
Header set X-Content-Type-Options "nosniff"
Header set Cross-Origin-Resource-Policy "same-origin; report-to='default';"
Header set Referrer-Policy "no-referrer,same-origin,strict-origin-when-cross-origin"
Header set Cross-Origin-Embedder-Policy "require-corp; report-to='default';"
Header set Cross-Origin-Opener-Policy "same-origin; report-to='default';"
Header set Content-Security-Policy "script-src 'self unsafe-eval unsafe-inline'; script-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; img-src  'self unsafe-inline'; font-src 'self unsafe-inline'; worker-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri https://example.com:443/; manifest-src 'self'; report-uri https://reporting-system.example.com/r/d/csp/wizard"
Header set NEL '{"report_to":"default","max_age":31536000,"include_subdomains":true,"success-fraction":0.5,"failure_fraction":1.0}'
Header set Report-To '{"group":"default","max_age":31536000,"endpoints":[{"url":"https://reporting-system.example.com/a/d/g"}],"include_subdomains":true}'
Header set Reporting-Endpoints 'default="https://reporting-system.example.com/a/d/g"'
Header always set Expect-CT 'max-age=43200, enforce, report-uri="https://reporting-system.example.com/r/d/ct/enforce"'
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header unset Public-Key-Pins
Header unset X-Powered-By
Header always unset X-Powered-By
ServerSignature Off
</IfModule>
(based off Cloudflare's examples, suggestions by SecurityHeaders (where the site is rated A+) and Report-URI (which I use for reporting) )

I also ensured the site is listed on the HSTS Preload service. I've also got a 100% rating on Internet.nl's Test your website service.

Normally I check things like this via the Mozilla Observatory , but that appears currently broken (and has been for the last couple of days)
 
  • Like
Reactions: cPRex