innhold/docs/security-cpanel.md

# Security Hardening — cPanel Shared Hosting

The container dev environment (Containerfile + apache.conf) handles most hardening automatically. On cPanel shared hosting, some settings must be configured manually since you don't control the Apache or PHP config directly.

## What's handled by .htaccess (works everywhere)

These are applied automatically via `content/.htaccess` (synced from `.htaccess.base`):

- Block direct access to `.ini`, `.md`, `.html`, `.php` content files
- Security headers: `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`
- Strip `X-Powered-By` header
- Restrict HTTP methods to GET/POST/HEAD
- Rewrite rules routing all requests through `index.php`

The `custom/.htaccess` and `custom/data/.htaccess` files also deploy automatically and block direct access to config files and data.

## What needs manual cPanel configuration

### 1. Disable display_errors

Go to **MultiPHP INI Editor** (Home > Software > MultiPHP INI Editor):

- Select the domain
- Set `display_errors` = **Off**
- Set `log_errors` = **On**
- Set `expose_php` = **Off**

This prevents PHP errors from leaking server paths and internal details to visitors.

### 2. PHP version

Use **MultiPHP Manager** to ensure PHP 8.4+ is selected for the domain.

### 3. Session cookie hardening

Handled in `content/index.php` via `ini_set()` calls — no cPanel action needed. The entry point sets `HttpOnly`, `SameSite=Lax`, and `Secure` (when on HTTPS) before any session starts.

### 4. Server version header

On shared hosting you typically cannot change `ServerTokens` (it's a server-level directive). The `X-Powered-By` header is stripped by `.htaccess`, but the `Server: Apache/2.4.x` header may still show the full version. This is a low-risk issue on shared hosting since the Apache version is the hosting provider's responsibility.

### 5. SSL/TLS

Use **SSL/TLS** (Home > Security > SSL/TLS) or **AutoSSL** to ensure HTTPS is active. The session cookie `Secure` flag only activates over HTTPS.

## Checklist

- [ ] `.htaccess` deployed (copy `.htaccess.base` if needed, preserve cPanel-generated blocks)
- [ ] `display_errors` = Off in MultiPHP INI Editor
- [ ] `expose_php` = Off in MultiPHP INI Editor
- [ ] `log_errors` = On in MultiPHP INI Editor
- [ ] SSL certificate active
- [ ] `custom/smtp-config.php` exists but is NOT in git (check `.gitignore`)
- [ ] `custom/listmonk-config.php` exists but is NOT in git (check `.gitignore`)
- [ ] `custom/data/` directory writable by web server (`chmod 755` or `775`)
- [ ] `custom/data/.htaccess` present with `Require all denied`
Add security hardening for shared hosting environments Improve session cookie security with HttpOnly and SameSite attributes Add security headers via .htaccess Block direct access to sensitive files Restrict allowed HTTP methods Document cPanel-specific security configuration Add container hardening for ServerTokens and ServerSignature 2026-02-10 23:02:57 +01:00			`# Security Hardening — cPanel Shared Hosting`

			`The container dev environment (Containerfile + apache.conf) handles most hardening automatically. On cPanel shared hosting, some settings must be configured manually since you don't control the Apache or PHP config directly.`

			`## What's handled by .htaccess (works everywhere)`

			These are applied automatically via `content/.htaccess` (synced from `.htaccess.base`):

			- Block direct access to `.ini`, `.md`, `.html`, `.php` content files
			- Security headers: `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`
			- Strip `X-Powered-By` header
			`- Restrict HTTP methods to GET/POST/HEAD`
			- Rewrite rules routing all requests through `index.php`

			The `custom/.htaccess` and `custom/data/.htaccess` files also deploy automatically and block direct access to config files and data.

			`## What needs manual cPanel configuration`

			`### 1. Disable display_errors`

			`Go to MultiPHP INI Editor (Home > Software > MultiPHP INI Editor):`

			`- Select the domain`
			- Set `display_errors` = Off
			- Set `log_errors` = On
			- Set `expose_php` = Off

			`This prevents PHP errors from leaking server paths and internal details to visitors.`

			`### 2. PHP version`

			`Use MultiPHP Manager to ensure PHP 8.4+ is selected for the domain.`

			`### 3. Session cookie hardening`

			Handled in `content/index.php` via `ini_set()` calls — no cPanel action needed. The entry point sets `HttpOnly`, `SameSite=Lax`, and `Secure` (when on HTTPS) before any session starts.

			`### 4. Server version header`

			On shared hosting you typically cannot change `ServerTokens` (it's a server-level directive). The `X-Powered-By` header is stripped by `.htaccess`, but the `Server: Apache/2.4.x` header may still show the full version. This is a low-risk issue on shared hosting since the Apache version is the hosting provider's responsibility.

			`### 5. SSL/TLS`

			Use SSL/TLS (Home > Security > SSL/TLS) or AutoSSL to ensure HTTPS is active. The session cookie `Secure` flag only activates over HTTPS.

			`## Checklist`

			- [ ] `.htaccess` deployed (copy `.htaccess.base` if needed, preserve cPanel-generated blocks)
			- [ ] `display_errors` = Off in MultiPHP INI Editor
			- [ ] `expose_php` = Off in MultiPHP INI Editor
			- [ ] `log_errors` = On in MultiPHP INI Editor
			`- [ ] SSL certificate active`
			- [ ] `custom/smtp-config.php` exists but is NOT in git (check `.gitignore`)
			- [ ] `custom/listmonk-config.php` exists but is NOT in git (check `.gitignore`)
			- [ ] `custom/data/` directory writable by web server (`chmod 755` or `775`)
			- [ ] `custom/data/.htaccess` present with `Require all denied`