Enable HSTS on cPanel & WHM interface?
Answered
Is it possible to enable HSTS for the cPanel and WHM interfaces?
Security auditors whining about not having HSTS set in these.
Thanks,
Chuck
-
Yes. Include this to .htaccess file: # Security header Enable HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS 0 -
Where is that at? I did not find a .htaccess file here: /usr/local/cpanel/whostmgr/docroot or the base directory. The only place in the cpanel tree I find .htaccess files are in the 3rdparty stuff and horde. Thanks, Chuck 0 -
Hi @carock cPanel/WHM doesn't use HSTS but you can force a secure connection using Tweak Settings -> Security: Require SSL for cPanel Services This option forces the server to redirect unencrypted cPanel, Webmail, WHM, and DAV requests to secure ports according to the SSL redirection settings. If "Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs" is enabled, the system will redirect to the best matched certificate for the domain. If "Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs" is disabled, the system will redirect to the https:// URL for the domain, even if no valid certificate exists for the domain. 0 -
Hello @omgwalt For all the domains including the hostname you can add some variation of the following for HSTS at WHM>>Service Configuration>>Apache Configuration -> Include Editor -> PreMain Include Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"
Because cPanel/WHM runs using cPSrvd which is separate from your domains it does not have this capability at this time. I checked for open feature requests on this as well and I didn't find anything. I would strongly urge you to open one using the link in my signature. Once it's open feel free to update here with the link so others can easily find it and vote on it as well. Thanks!0 -
Good afternoon. Sorry if I use any wrong words. Possible language conflict. I need help to configure the HSTS correctly. On a consultation website, I received the following error. Warning: Unnecessary HSTS header over HTTP The HTTP page at http: //domain.com sends an HSTS header. This has no effect over HTTP, and should be removed. Does anybody know how to solve this? 0 -
You might want to read these threads for information - the one you're in here: The reason you received that error is because you're attempting to view the site over HTTP:// not https:// 0 -
Good afternoon. Sorry if I use any wrong words. Possible language conflict. I need help to configure the HSTS correctly. On a consultation website, I received the following error. Warning: Unnecessary HSTS header over HTTP The HTTP page at http: //domain.com sends an HSTS header. This has no effect over HTTP, and should be removed. Does anybody know how to solve this?
depending how you implemented you want to add the end bit env=HTTPSHeader always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS0 -
depending how you implemented you want to add the end bit env=HTTPS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Thank you for your help. I managed to solve my problem. I added the following code at the beginning of .htaccess and Apache. Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'" A tip for those who had difficulty adding this feature: 1 - The domain must have a valid SSL certificate. 2 - After adding this code, the first redirect must be to https: //domain.com and not to https: //www.domain.com 3 - Depending on the server configuration, it may be necessary to add this code in the .htaccess file and in the apache settings within WHM. Home / Service Configuration / Apache Configuration / Include Editor / Pre Main Include Select the All Versions option and enter the code. Click Update and then restart the Apache services.0 -
I've confirmed with the team that there isn't a particular reason that example is set to 300, so we'll update that article soon! 0 -
Are there any updates on this important issue (on FRI 20DEC24)?
I am unable to get HSTS working in my (GoDaddy VPS) WHM/cPanel environment - despite correct edits (specified here and elsewhere) to public_html/.htaccess and Apache PreMain (global) header inclusions (pre_main_global.conf).
Thank you.
0 -
There are some instructions on how to manually change this here:
https://support.cpanel.net/hc/en-us/articles/360055614293-PCI-How-to-enable-HSTS-on-a-cPanel-server
rangefinder - will that work for you?
0 -
Thank you for the follow-up.
I am happy to report that I was able to fix (all) of my header issues simly by updating cPanel, PHP, and all server software.
0 -
I'm glad that's all it took!
0
Please sign in to leave a comment.
Comments
17 comments