cPanel violates CSP set in apache includes

G

gramzon

Active Member
Dec 4, 2017
32
5
58
Croatia
cPanel Access Level
Root Administrator
I wanted to set security headers globally for my website so I set the headers in the apache includes. (/etc/apache2/conf.d/userdata/ssl/2_4/user/domain/headers.conf)
This works fine for my website but now I have a problem using the cpanel.mydomain.com subdomain because it violates my CSP policy (it uses unsafe-inline scripts)

How can I exclude this subdomain from using the security headers, while still keeping the headers for the rest of the website?

I realize I could just put 'unsafe-inline' in the script-src directive but that would defeat the point of my CSP.
Also, setting the headers in the .htaccess file is not an option since it doesn't work for .php files (something to do with fcgi).

This is the code used in headers.conf:
Code: 
Header always set Content-Security-Policy "default-src 'self'; font-src 'self' data: [URL]http://fonts.gstatic.com;[/URL] style-src 'self' 'unsafe-inline' [URL]http://fonts.googleapis.com;[/URL] script-src 'self' [URL]https://ajax.googleapis.com;[/URL] img-src 'self' data:; report-uri https:/example.report-uri.com/r/d/csp/enforce"
Header always set Expect-CT "enforce,max-age=30; report-uri [URL='https://example.report-uri.com/r/d/ct/enforce']Welcome to report-uri.com[/URL]"
Header always set Expect-Staple "max-age=30; report-uri [URL='https://example.report-uri.com/r/d/staple/reportOnly']Welcome to report-uri.com[/URL]"
Header always set Referrer-Policy "same-origin"
Header always set Strict-Transport-Security "max-age=2592000"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block; report=[URL='https://example.report-uri.com/r/d/xss/enforce']Welcome to report-uri.com[/URL]"
 
Last edited by a moderator:
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
gramzon said:
I just surrounded this code in <Directory "/"> and </Directory> tags and now the headers are not set for the proxy subdomains.
Click to expand...
Hello,

I'm glad to see it's now working as you intend. Thank you for sharing the outcome.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
L Alma Linux 8 cPanel/WHM newest --- well is there any way to see the number of Visitors and analytics like Google Analytics? Web Servers and Applications 23
nyjimbo Missing files in cpanel repository for easyapace 4 ? Web Servers and Applications 2
P Instalación de aplicaciones en cpanel Web Servers and Applications 6
J WHM, cPanel and websites are not working Web Servers and Applications 1
P Cannot build on cPanel/SSH | Laravel + Vue Web Servers and Applications 7
Similar threads
Alma Linux 8 cPanel/WHM newest --- well is there any way to see the number of Visitors and analytics like Google Analytics?
Missing files in cpanel repository for easyapace 4 ?
Instalación de aplicaciones en cpanel
WHM, cPanel and websites are not working
Cannot build on cPanel/SSH | Laravel + Vue
Top Bottom