Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel violates CSP set in apache includes

Discussion in 'EasyApache' started by gramzon, May 17, 2018 at 6:16 AM.

  1. gramzon

    gramzon Registered

    Joined:
    Dec 4, 2017
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Croatia
    cPanel Access Level:
    Root Administrator
    I wanted to set security headers globally for my website so I set the headers in the apache includes. (/etc/apache2/conf.d/userdata/ssl/2_4/user/domain/headers.conf)
    This works fine for my website but now I have a problem using the cpanel.mydomain.com subdomain because it violates my CSP policy (it uses unsafe-inline scripts)

    How can I exclude this subdomain from using the security headers, while still keeping the headers for the rest of the website?

    I realize I could just put 'unsafe-inline' in the script-src directive but that would defeat the point of my CSP.
    Also, setting the headers in the .htaccess file is not an option since it doesn't work for .php files (something to do with fcgi).

    This is the code used in headers.conf:
    Code:
    Header always set Content-Security-Policy "default-src 'self'; font-src 'self' data: [URL]http://fonts.gstatic.com;[/URL] style-src 'self' 'unsafe-inline' [URL]http://fonts.googleapis.com;[/URL] script-src 'self' [URL]https://ajax.googleapis.com;[/URL] img-src 'self' data:; report-uri https:/example.report-uri.com/r/d/csp/enforce"
    Header always set Expect-CT "enforce,max-age=30; report-uri [URL='https://example.report-uri.com/r/d/ct/enforce']Welcome to report-uri.com[/URL]"
    Header always set Expect-Staple "max-age=30; report-uri [URL='https://example.report-uri.com/r/d/staple/reportOnly']Welcome to report-uri.com[/URL]"
    Header always set Referrer-Policy "same-origin"
    Header always set Strict-Transport-Security "max-age=2592000"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block; report=[URL='https://example.report-uri.com/r/d/xss/enforce']Welcome to report-uri.com[/URL]"
     
    #1 gramzon, May 17, 2018 at 6:16 AM
    Last edited by a moderator: May 17, 2018 at 6:24 AM
  2. gramzon

    gramzon Registered

    Joined:
    Dec 4, 2017
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Croatia
    cPanel Access Level:
    Root Administrator
    I just surrounded this code in <Directory "/"> and </Directory> tags and now the headers are not set for the proxy subdomains.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,245
    Likes Received:
    1,759
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm glad to see it's now working as you intend. Thank you for sharing the outcome.
     
Loading...

Share This Page