Introduction
This article will detail the necessary steps to enable HSTS on a cPanel server.
Procedure
- Log into WHM as the 'root' user.
- Navigate to "WHM / Service Configuration / Apache Configuration."
- Click "Include Editor."
- Select "All Versions" from the drop-down menu under "Pre-Main Include."
- Add the following text.
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always set X-Frame-Options "sameorigin"
Header setifempty Referrer-Policy: same-origin
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options: nosniff
</IfModule> - Click the "Update" button.
- Click the "Restart Apache" button.
To confirm that your site now has the strict-transport-security header, run the following command:
read -p "Domain: " domain ; curl -s --head https://${domain}/ | egrep 'Strict-Transport-Security'
The command above will request a domain. Here is an example:
[root@server ~]cPs# read -p "Domain: " domain ; curl -s --head https://${domain}/ | egrep 'Strict-Transport-Security'
Domain: domain.tld
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload