- Service: Apache
- Ports: 80, 443
In WHM -> Home -> Service Configuration -> Apache Configuration -> Global Configuration set the SSL Cipher Suite and SSL/TLS Protocols to the cPanel defaults.
Also disable Directory Indexing. Uncheck Indexes under this option.
Directory “/” Options Indexes
In WHM -> Home -> Service Configuration -> Apache Configuration -> Include Editor, add this to the “Pre Virtual Host” Include file. See the warning below before making this change.
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;" env=HTTPS Header always set Content-Security-Policy "upgrade-insecure-requests;" Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" Header always set X-FRAME-OPTIONS "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" </IfModule> SSLHonorCipherOrder On SSLCompression off
Careful to make sure you’ve got a valid SSL cert. If you do not and you enable Strict Transport Security, then most browsers won’t let you access the site at all. If this a critical site and you’re using cPanel’s AutoSSL for it, you might want to consider upgrading to a paid SSL cert, those are usually valid for a year. It’s not unheard of for cPanel’s AutoSSL servers to have outages or for something else to mess up.
That said, you should get an A+ at the Qualys SSL Labs test site if HSTS is enabled.
If you’re using cPanel’s AutoSSL and the default Comodo provider, you can also set up this CAA record. Don’t know what that is? This link should be helpful. Under WHM -> Home -> DNS Functions -> Edit DNS Zone create a CAA record for your domain.
flags = 0
tag = issue
sslissuer.tld = “comodoca.com”
Here’s what that looks like for my domain.
anna@xps:~$ dig caa annahost.org +short 0 issue "comodoca.com"
Check to make sure that the ciphers have been updated and only TLS 1.2 is enabled
anna@xps:~$ nmap miss.annahost.org -p 443 --script ssl-enum-ciphers Starting Nmap 7.01 ( https://nmap.org ) at 2018-06-23 19:42 CDT Nmap scan report for miss.annahost.org (220.127.116.11) Host is up (0.045s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds
And check your Apache headers
anna@xps:~$ curl -I https://annahost.org HTTP/1.1 200 OK Date: Sun, 24 Jun 2018 22:03:18 GMT Server: Apache Strict-Transport-Security: max-age=15552000; includeSubDomains; Content-Security-Policy: upgrade-insecure-requests; X-FRAME-OPTIONS: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Last-Modified: Wed, 13 Jun 2018 02:41:08 GMT Accept-Ranges: bytes Content-Length: 415 Content-Type: text/html