Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel violates CSP set in apache includes

Discussion in 'EasyApache' started by gramzon, May 17, 2018.

  1. gramzon

    gramzon Registered

    Joined:
    Dec 4, 2017
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Croatia
    cPanel Access Level:
    Root Administrator
    I wanted to set security headers globally for my website so I set the headers in the apache includes. (/etc/apache2/conf.d/userdata/ssl/2_4/user/domain/headers.conf)
    This works fine for my website but now I have a problem using the cpanel.mydomain.com subdomain because it violates my CSP policy (it uses unsafe-inline scripts)

    How can I exclude this subdomain from using the security headers, while still keeping the headers for the rest of the website?

    I realize I could just put 'unsafe-inline' in the script-src directive but that would defeat the point of my CSP.
    Also, setting the headers in the .htaccess file is not an option since it doesn't work for .php files (something to do with fcgi).

    This is the code used in headers.conf:
    Code:
    Header always set Content-Security-Policy "default-src 'self'; font-src 'self' data: [URL]http://fonts.gstatic.com;[/URL] style-src 'self' 'unsafe-inline' [URL]http://fonts.googleapis.com;[/URL] script-src 'self' [URL]https://ajax.googleapis.com;[/URL] img-src 'self' data:; report-uri https:/example.report-uri.com/r/d/csp/enforce"
    Header always set Expect-CT "enforce,max-age=30; report-uri [URL='https://example.report-uri.com/r/d/ct/enforce']Welcome to report-uri.com[/URL]"
    Header always set Expect-Staple "max-age=30; report-uri [URL='https://example.report-uri.com/r/d/staple/reportOnly']Welcome to report-uri.com[/URL]"
    Header always set Referrer-Policy "same-origin"
    Header always set Strict-Transport-Security "max-age=2592000"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block; report=[URL='https://example.report-uri.com/r/d/xss/enforce']Welcome to report-uri.com[/URL]"
     
    #1 gramzon, May 17, 2018
    Last edited by a moderator: May 17, 2018
  2. gramzon

    gramzon Registered

    Joined:
    Dec 4, 2017
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Croatia
    cPanel Access Level:
    Root Administrator
    I just surrounded this code in <Directory "/"> and </Directory> tags and now the headers are not set for the proxy subdomains.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,903
    Likes Received:
    1,814
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm glad to see it's now working as you intend. Thank you for sharing the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice