Add security hardening for shared hosting environments
Improve session cookie security with HttpOnly and SameSite attributes Add security headers via .htaccess Block direct access to sensitive files Restrict allowed HTTP methods Document cPanel-specific security configuration Add container hardening for ServerTokens and ServerSignature
This commit is contained in:
Ruben
parent
f2dc4ec647
commit
3b04a3d78c
6 changed files with 121 additions and 2 deletions
56
docs/security-cpanel.md
Normal file
56
docs/security-cpanel.md
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
# Security Hardening — cPanel Shared Hosting
|
||||
|
||||
The container dev environment (Containerfile + apache.conf) handles most hardening automatically. On cPanel shared hosting, some settings must be configured manually since you don't control the Apache or PHP config directly.
|
||||
|
||||
## What's handled by .htaccess (works everywhere)
|
||||
|
||||
These are applied automatically via `content/.htaccess` (synced from `.htaccess.base`):
|
||||
|
||||
- Block direct access to `.ini`, `.md`, `.html`, `.php` content files
|
||||
- Security headers: `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`
|
||||
- Strip `X-Powered-By` header
|
||||
- Restrict HTTP methods to GET/POST/HEAD
|
||||
- Rewrite rules routing all requests through `index.php`
|
||||
|
||||
The `custom/.htaccess` and `custom/data/.htaccess` files also deploy automatically and block direct access to config files and data.
|
||||
|
||||
## What needs manual cPanel configuration
|
||||
|
||||
### 1. Disable display_errors
|
||||
|
||||
Go to **MultiPHP INI Editor** (Home > Software > MultiPHP INI Editor):
|
||||
|
||||
- Select the domain
|
||||
- Set `display_errors` = **Off**
|
||||
- Set `log_errors` = **On**
|
||||
- Set `expose_php` = **Off**
|
||||
|
||||
This prevents PHP errors from leaking server paths and internal details to visitors.
|
||||
|
||||
### 2. PHP version
|
||||
|
||||
Use **MultiPHP Manager** to ensure PHP 8.4+ is selected for the domain.
|
||||
|
||||
### 3. Session cookie hardening
|
||||
|
||||
Handled in `content/index.php` via `ini_set()` calls — no cPanel action needed. The entry point sets `HttpOnly`, `SameSite=Lax`, and `Secure` (when on HTTPS) before any session starts.
|
||||
|
||||
### 4. Server version header
|
||||
|
||||
On shared hosting you typically cannot change `ServerTokens` (it's a server-level directive). The `X-Powered-By` header is stripped by `.htaccess`, but the `Server: Apache/2.4.x` header may still show the full version. This is a low-risk issue on shared hosting since the Apache version is the hosting provider's responsibility.
|
||||
|
||||
### 5. SSL/TLS
|
||||
|
||||
Use **SSL/TLS** (Home > Security > SSL/TLS) or **AutoSSL** to ensure HTTPS is active. The session cookie `Secure` flag only activates over HTTPS.
|
||||
|
||||
## Checklist
|
||||
|
||||
- [ ] `.htaccess` deployed (copy `.htaccess.base` if needed, preserve cPanel-generated blocks)
|
||||
- [ ] `display_errors` = Off in MultiPHP INI Editor
|
||||
- [ ] `expose_php` = Off in MultiPHP INI Editor
|
||||
- [ ] `log_errors` = On in MultiPHP INI Editor
|
||||
- [ ] SSL certificate active
|
||||
- [ ] `custom/smtp-config.php` exists but is NOT in git (check `.gitignore`)
|
||||
- [ ] `custom/listmonk-config.php` exists but is NOT in git (check `.gitignore`)
|
||||
- [ ] `custom/data/` directory writable by web server (`chmod 755` or `775`)
|
||||
- [ ] `custom/data/.htaccess` present with `Require all denied`
|
||||
Loading…
Add table
Add a link
Reference in a new issue