Apache

  • Service:  Apache
  • Ports:  80, 443

In WHM -> Home -> Service Configuration -> Apache Configuration -> Global Configuration set the SSL  Cipher Suite and SSL/TLS Protocols to the cPanel defaults.

Also disable Directory Indexing. Uncheck Indexes under this option.

Directory “/” Options  Indexes

In WHM -> Home -> Service Configuration -> Apache Configuration -> Include Editor, add this to the “Pre Virtual Host” Include file.  See the warning below before making this change.

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always set X-FRAME-OPTIONS "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
</IfModule>

SSLHonorCipherOrder On
SSLCompression off

WARNING!

Careful to make sure you’ve got a valid SSL cert. If you do not and you enable Strict Transport Security, then most browsers won’t let you access the site at all. If this a critical site and you’re using cPanel’s AutoSSL for it, you might want to consider upgrading to a paid SSL cert, those are usually valid for a year. It’s not unheard of for cPanel’s AutoSSL servers to have outages or for something else to mess up.

That said, you should get an A+ at the Qualys SSL Labs test site if HSTS is enabled.

If you’re using cPanel’s AutoSSL and the default Comodo provider, you can also set up this CAA record.  Don’t know what that is?  This link should be helpful.  Under WHM -> Home -> DNS Functions -> Edit DNS Zone create a CAA record for your domain.

flags = 0
tag = issue
sslissuer.tld = “comodoca.com”

Here’s what that looks like for my domain.

anna@xps:~$ dig caa annahost.org +short
0 issue "comodoca.com"
Check to make sure that the ciphers have been updated and only TLS 1.2 is enabled
anna@xps:~$ nmap miss.annahost.org -p 443 --script ssl-enum-ciphers

Starting Nmap 7.01 ( https://nmap.org ) at 2018-06-23 19:42 CDT
Nmap scan report for miss.annahost.org (162.246.58.251)
Host is up (0.045s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds
And check your Apache headers
anna@xps:~$ curl -I https://annahost.org
HTTP/1.1 200 OK
Date: Sun, 24 Jun 2018 22:03:18 GMT
Server: Apache
Strict-Transport-Security: max-age=15552000; includeSubDomains;
Content-Security-Policy: upgrade-insecure-requests;
X-FRAME-OPTIONS: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Last-Modified: Wed, 13 Jun 2018 02:41:08 GMT
Accept-Ranges: bytes
Content-Length: 415
Content-Type: text/html