Skip to main content

Change security headers of cPanel itself?

Zacky

There is one similar thread that is 4 years old but I don't know the resolution of that:
https://support.cpanel.net/hc/en-us/community/posts/19160077714711-Content-Security-Policy-headers-for-WHM-cPanel-and-webmail

I am trying to edit security headers of cPanel control panel itself. This URL is public and so the security headers need to be set. For example "cpanel.example.com", or maybe someone uses "example.com/cpanel" or just the port "example.com:2083". If I run the URL on a header checker, it fails all of them.

I have enabled the setting "Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd" in Tweak Settings, and this worked for those two headers which is good.

I also enabled the option "Enable Content-Security-Policy on some interfaces" but this didn't do anything. I don't know which interfaces it's talking about, but it doesn't work for the cpanel URLs.

I am trying to also set the Strict-Transport-Security header, Referrer-Policy at the least. I may even want to set the CSP as well if there is an appropriate default.

I tried using the Pre Main Include and Pre VirtualHost Include to set headers but neither of these apply to the cpanel subdomain apparently.

 

I realize that messing up a header like CSP or Permissions-Policy could potentially mess up cPanel functioning, so it would make sense if they just don't allow us to mess with it, but I'd like to know for sure. Is it possible to get stronger headers on public URLs for WHM/cPanel or not? 

3rd party security scanners are becoming more and more common and I'm tired of them always hitting these cPanel endpoints and complaining about everything. We need to have a baseline of decent security headers at the least.

Is there anything I can do?

Comments

2 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  The original request never got any action back when, but I've spoken with the security team today and I've created case CPANEL-46589 to see how they'd like to handle this moving forward.  There are a few different ways we could deal with this, and I'm not sure what option the team will pick.

    At this time there is no workaround for the issue, but if there's any updates to that case as they work on it I'll be sure to share them here.

    0
  • Zacky

    That would be great! I look forward to some kind of improvement along this front.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post