Is it possible to enable HSTS for the cPanel and WHM interfaces?
Security auditors whining about not having HSTS set in these.
Thanks,
Chuck
Security auditors whining about not having HSTS set in these.
Thanks,
Chuck
Yes.
Include this to .htaccess file:
# Security header Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Include this to .htaccess file:
# Security header Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Where is that at? I did not find a .htaccess file here: /usr/local/cpanel/whostmgr/docroot
or the base directory. The only place in the cpanel tree I find .htaccess files are in the 3rdparty stuff and horde.
Thanks,
Chuck
or the base directory. The only place in the cpanel tree I find .htaccess files are in the 3rdparty stuff and horde.
Thanks,
Chuck
Hi @carock
cPanel/WHM doesn't use HSTS but you can force a secure connection using Tweak Settings -> Security:
Require SSL for cPanel Services
This option forces the server to redirect unencrypted cPanel, Webmail, WHM, and DAV requests to secure ports according to the SSL redirection settings. If “Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs” is enabled, the system will redirect to the best matched certificate for the domain. If “Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs” is disabled, the system will redirect to the https:// URL for the domain, even if no valid certificate exists for the domain.
cPanel/WHM doesn't use HSTS but you can force a secure connection using Tweak Settings -> Security:
Require SSL for cPanel Services
This option forces the server to redirect unencrypted cPanel, Webmail, WHM, and DAV requests to secure ports according to the SSL redirection settings. If “Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs” is enabled, the system will redirect to the best matched certificate for the domain. If “Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs” is disabled, the system will redirect to the https:// URL for the domain, even if no valid certificate exists for the domain.
Is this something that cPanel might consider adding? I ask because Mozilla now suggests it among their web security recommendations for creating secure web applications.
Web Security
infosec.mozilla.org : Guidelines, principles published on https://infosec.mozilla.org
In fact, it would be great if cPanel would provide tools to implement all of their recommendations.
Hello @omgwalt
For all the domains including the hostname you can add some variation of the following for HSTS at WHM>>Service Configuration>>Apache Configuration -> Include Editor -> PreMain Include
Because cPanel/WHM runs using cPSrvd which is separate from your domains it does not have this capability at this time. I checked for open feature requests on this as well and I didn't find anything. I would strongly urge you to open one using the link in my signature. Once it's open feel free to update here with the link so others can easily find it and vote on it as well.
Thanks!
For all the domains including the hostname you can add some variation of the following for HSTS at WHM>>Service Configuration>>Apache Configuration -> Include Editor -> PreMain Include
Code:
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"Thanks!
I also just want to inform that HSTS should only be present in https. So, I use the following for the, it works with apache in a cpanel server. You can either add this to the .htaccess or, you can add the to the main config file i.e., by following my 2nd way. Adding it to the .htaccess file of a website will only affect the particular website, and the folder the .htaccess file is placed in. mod_headers should be enabled in apache.
1st way:
Apache config:
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"2nd way:
Add the same to the following:
WHM>>Service Configuration>>Apache Configuration -> Include Editor -> PreMain Include
The env=HTTPS doesn't work sometimes on subdomains with https e.g. https://subdomain.example.com. Am I missing something?
For more security, use the headers also, by adding these to the apache conf or .htaccess file:
Apache config:
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
Last edited:
Good afternoon.
Sorry if I use any wrong words. Possible language conflict.
I need help to configure the HSTS correctly.
On a consultation website, I received the following error.
Warning: Unnecessary HSTS header over HTTP
The HTTP page at http: //domain.com sends an HSTS header. This has no effect over HTTP, and should be removed.
Does anybody know how to solve this?
Sorry if I use any wrong words. Possible language conflict.
I need help to configure the HSTS correctly.
On a consultation website, I received the following error.
Warning: Unnecessary HSTS header over HTTP
The HTTP page at http: //domain.com sends an HSTS header. This has no effect over HTTP, and should be removed.
Does anybody know how to solve this?
Last edited:
You might want to read these threads for information - the one you're in here:
forums.cpanel.net
as well as
forums.cpanel.net
The reason you received that error is because you're attempting to view the site over HTTP:// not https://
Enable HSTS on cPanel & WHM interface?
Is it possible to enable HSTS for the cPanel and WHM interfaces? Security auditors whining about not having HSTS set in these. Thanks, Chuck
as well as
HSTS & Subdomain Issue
Hi, I recently set up my domain to use HSTS, i added the header into my .htaccess file which includes subdomains and preloading, then i successfully submitted the domain to the HSTS preloading list. All is working perfectly on the root domain and i have no issues. www/non-www work fine and...
The reason you received that error is because you're attempting to view the site over HTTP:// not https://
divemasterza
Active Member
depending how you implemented you want to add the end bit env=HTTPS
Code:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPSThank you for your help. I managed to solve my problem.
I added the following code at the beginning of .htaccess and Apache.
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
A tip for those who had difficulty adding this feature:
1 - The domain must have a valid SSL certificate.
2 - After adding this code, the first redirect must be to https: //domain.com and not to https: //www.domain.com
3 - Depending on the server configuration, it may be necessary to add this code in the .htaccess file and in the apache settings within WHM.
Home / Service Configuration / Apache Configuration / Include Editor / Pre Main Include
Select the All Versions option and enter the code. Click Update and then restart the Apache services.
Last edited:
Hi,
I check the official implementation from cPanel: https://support.cpanel.net/hc/en-us/articles/360055614293-PCI-How-to-enable-HSTS-on-a-cPanel-server-
Why cPanel recommend only "max-age=300;" instead one or two years?
Thank you,
I check the official implementation from cPanel: https://support.cpanel.net/hc/en-us/articles/360055614293-PCI-How-to-enable-HSTS-on-a-cPanel-server-
Why cPanel recommend only "max-age=300;" instead one or two years?
Thank you,
That's an excellent question, especially since the HSTS documentation says this about that value:
developer.mozilla.org
I'll reach out to the web development team to see if there is an explanation for this, or if we should update our documentation to make that time longer. I won't have details tonight, but hopefully I'll hear back from them tomorrow.
Strict-Transport-Security - HTTP | MDN
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
developer.mozilla.org
Code:
Preloading
When using preload, the max-age directive must be at least 31536000 (1 year), and the includeSubDomains directive must be present. Not part of the specification.Thanks a lot!That's an excellent question, especially since the HSTS documentation says this about that value:
Strict-Transport-Security - HTTP | MDN
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
I'll reach out to the web development team to see if there is an explanation for this, or if we should update our documentation to make that time longer. I won't have details tonight, but hopefully I'll hear back from them tomorrow.Code:Preloading When using preload, the max-age directive must be at least 31536000 (1 year), and the includeSubDomains directive must be present. Not part of the specification.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| T | Cannot Enable Force HTTPS Redirect | Security | 5 | |
| D | Breached cPanel - multiple logged logins even with 2FA enabled | Security | 2 | |
| D | How to enable HSTS on WHM Interface | Security | 3 | |
| T | Need to temporarily enable TLSv1 | Security | 10 | |
| D | SOLVED Enable SNI for Primary Domain | Security | 3 |