Enable HSTS on cPanel & WHM interface?

carock

Well-Known Member
Sep 25, 2002
263
7
168
St. Charles, MO
Is it possible to enable HSTS for the cPanel and WHM interfaces?

Security auditors whining about not having HSTS set in these.

Thanks,
Chuck
 

httpdocs

Well-Known Member
Mar 9, 2018
56
7
83
United States
cPanel Access Level
Root Administrator
Yes.
Include this to .htaccess file:
# Security header Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
 
  • Like
Reactions: rajeevacj

carock

Well-Known Member
Sep 25, 2002
263
7
168
St. Charles, MO
Where is that at? I did not find a .htaccess file here: /usr/local/cpanel/whostmgr/docroot

or the base directory. The only place in the cpanel tree I find .htaccess files are in the 3rdparty stuff and horde.

Thanks,
Chuck
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,421
689
263
Houston
cPanel Access Level
DataCenter Provider
Hi @carock

cPanel/WHM doesn't use HSTS but you can force a secure connection using Tweak Settings -> Security:

Require SSL for cPanel Services

This option forces the server to redirect unencrypted cPanel, Webmail, WHM, and DAV requests to secure ports according to the SSL redirection settings. If “Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs” is enabled, the system will redirect to the best matched certificate for the domain. If “Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs” is disabled, the system will redirect to the https:// URL for the domain, even if no valid certificate exists for the domain.
 

omgwalt

Registered
Dec 1, 2019
1
0
0
Connecticut
cPanel Access Level
Root Administrator
cPanel/WHM doesn't use HSTS
Is this something that cPanel might consider adding? I ask because Mozilla now suggests it among their web security recommendations for creating secure web applications.


In fact, it would be great if cPanel would provide tools to implement all of their recommendations.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,421
689
263
Houston
cPanel Access Level
DataCenter Provider
Hello @omgwalt

For all the domains including the hostname you can add some variation of the following for HSTS at WHM>>Service Configuration>>Apache Configuration -> Include Editor -> PreMain Include

Code:
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"
Because cPanel/WHM runs using cPSrvd which is separate from your domains it does not have this capability at this time. I checked for open feature requests on this as well and I didn't find anything. I would strongly urge you to open one using the link in my signature. Once it's open feel free to update here with the link so others can easily find it and vote on it as well.


Thanks!
 
  • Wow
Reactions: rajeevacj

rajeevacj

Well-Known Member
May 27, 2019
52
13
8
India
cPanel Access Level
Root Administrator
Twitter
Hi @carock

cPanel/WHM doesn't use HSTS but you can force a secure connection using Tweak Settings -> Security:

Require SSL for cPanel Services

This option forces the server to redirect unencrypted cPanel, Webmail, WHM, and DAV requests to secure ports according to the SSL redirection settings. If “Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs” is enabled, the system will redirect to the best matched certificate for the domain. If “Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs” is disabled, the system will redirect to the https:// URL for the domain, even if no valid certificate exists for the domain.
I also just want to inform that HSTS should only be present in https. So, I use the following for the, it works with apache in a cpanel server. You can either add this to the .htaccess or, you can add the to the main config file i.e., by following my 2nd way. Adding it to the .htaccess file of a website will only affect the particular website, and the folder the .htaccess file is placed in. mod_headers should be enabled in apache.
1st way:
Apache config:
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
Use 63072000 instead of 300, if needed to preload. And, also, to preload, go to HSTS Preload List Submission and follow those instructions.

2nd way:
Add the same to the following:
WHM>>Service Configuration>>Apache Configuration -> Include Editor -> PreMain Include

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
The env=HTTPS doesn't work sometimes on subdomains with https e.g. https://subdomain.example.com. Am I missing something?

For more security, use the headers also, by adding these to the apache conf or .htaccess file:
Apache config:
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
Thanks.
 
Last edited: