Content-Security-Policy headers for WHM, cPanel, and webmail


Jun 11, 2017
San Diego
cPanel Access Level
Root Administrator
Has any thought been given to enabling better Content-Security-Policy headers on the WHM, cPanel, and webmail interfaces by default?

I see threads in the forums about how to setup the Content-Security-Policy headers in the
but when you do that, it appears to apply to the,, and interfaces as well.

I was able to work around this by using the expression conditional like below, but it still leaves those important interfaces 'unprotected' from cross site scripting injection.

Header always set Content-Security-Policy "default-src 'self'; \
script-src 'self' 'strict-dynamic'; \
style-src 'self' 'strict-dynamic'; \
img-src 'self' 'strict-dynamic'; \
object-src 'none'; base-uri 'none';" \
"expr=%{HTTP_HOST} !~ m#(webmail|cpanel|whm)\..*#"
After some toying around I found a set of options that appear to avoid breaking the cpanel interfaces, but they are far less than optimal since they require
'unsafe-inline' 'unsafe-eval'
I also tried using the Tweak option of
Enable Content-Security-Policy on some interfaces
but that does not appear to do anything to the web interfaces that are actually important.

It would be nice if the cpanel and webmail interfaces were built such one of 3 things were present (in order of easiest to most desirable):
  1. If the cpanel applications setup the specific header allows that were needed so one could set a global policy and have it overridden such that these sites aren't broken.
  2. That they didn't require those unsafe directives by removing the use of inline script and styles
  3. It would be even more optimal if the applications were enhanced to support 'nonce' in the script and style references and automatically injected 'nonce' in the Content-Security-Policy headers.
I'm wondering if there is anything being done to work towards any of those?
Last edited by a moderator: