Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

HSTS file issue

Discussion in 'Security' started by Otávio Serra, Apr 23, 2018.

  1. Otávio Serra

    Otávio Serra Member

    Joined:
    Apr 27, 2015
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hi,

    I filled HSTS's line command on .htaccess and uploaded it to root host of one cPanel account [removed.tld.br]. But HSTS appeared to be disabled on one test website.

    This is the command putted on .htaccess file and uploaded to root of this account's site [removed.tld.br]:

    <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
    </IfModule>

    This is the test site I used that trhowed this problem: [removed]

    This is the result on report:

    Strict Transport Security (HSTS) No
    HSTS Preloading Not in: Chrome Edge Firefox IE

    Using curl how test tool and same problem:

    [ec2-user@wp1 ~]$ curl -si removed.tld | grep ^Strict
    [ec2-user@wp1 ~]$

    Plus, I entered on WHM // Software // EasyApache 4 and verified that mob_header is ENABLE on Apache configuration.

    What is wrong? Any one can help me?

    Thanks
     
    #1 Otávio Serra, Apr 23, 2018
    Last edited by a moderator: Apr 23, 2018
  2. Hedloff

    Hedloff Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    135
    Likes Received:
    4
    Trophy Points:
    168
    Location:
    Up north!
    cPanel Access Level:
    DataCenter Provider
    Did you try to add it in "Include Editor" in WHM like this:
     

    Attached Files:

  3. Otávio Serra

    Otávio Serra Member

    Joined:
    Apr 27, 2015
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    No. I need HSTS only for one account. So I need use .htaccess. Your path apply globally.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,903
    Likes Received:
    1,814
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Otávio Serra

    Otávio Serra Member

    Joined:
    Apr 27, 2015
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    This option only works if you redirect your domain to www.domain . I can't redirect my domain to www. because I need URL without www.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,903
    Likes Received:
    1,814
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to try it without the redirect entry to see if it helps. Additionally, here are a couple of other threads with discussion on this topic:

    Getting Perfect Forward Secrecy Question
    Problems with OCSP stapling

    Note that if you prefer to enable it for a specific domain name as opposed to globally, you can use the instructions from the following thread:

    Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation

    If you do prefer to use the .htaccess file only, then you may want to verify no other rules exist in the file. Also, try with just the Header entry instead of using the IfModule block. EX:

    Code:
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Otávio Serra

    Otávio Serra Member

    Joined:
    Apr 27, 2015
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    I tried it but didn't work see:

    # Force SSL:
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

    RewriteEngine on
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,903
    Likes Received:
    1,814
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Otávio Serra,

    Can you verify a trusted SSL certificate is installed for the domain name you are testing with, as opposed to a self-signed SSL certificate? Also, try testing via the command line using cURL. EX:

    Code:
    curl -s -D- https://domain.tld/ | grep Strict
    If it's successful, the output should look like this:

    Code:
    # curl -s -D- https://domain.tld/ | grep Strict
    Strict-Transport-Security: max-age=63072000
    Additionally, use "WHM >> MultiPHP Manager" to check to see which PHP handler is associated with the version of PHP assigned to this account. For instance, headers are stripped as a security measure when using CGI as the handler. Thus, you'd need to use a different handler or add the entries directly to the virtual host instead of the .htaccess file per the instructions at:

    Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice