# Security Hardening — cPanel Shared Hosting

The container dev environment (Containerfile + apache.conf) handles most hardening automatically. On cPanel shared hosting, some settings must be configured manually since you don't control the Apache or PHP config directly.

## What's handled by .htaccess (works everywhere)

These are applied automatically via `content/.htaccess` (synced from `.htaccess.base`):

- Block direct access to `.ini`, `.md`, `.html`, `.php` content files
- Security headers: `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`
- Strip `X-Powered-By` header
- Restrict HTTP methods to GET/POST/HEAD
- Rewrite rules routing all requests through `index.php`

The `custom/.htaccess` and `custom/data/.htaccess` files also deploy automatically and block direct access to config files and data.

## What needs manual cPanel configuration

### 1. Disable display_errors

Go to **MultiPHP INI Editor** (Home > Software > MultiPHP INI Editor):

- Select the domain
- Set `display_errors` = **Off**
- Set `log_errors` = **On**
- Set `expose_php` = **Off**

This prevents PHP errors from leaking server paths and internal details to visitors.

### 2. PHP version

Use **MultiPHP Manager** to ensure PHP 8.4+ is selected for the domain.

### 3. Session cookie hardening

Handled in `content/index.php` via `ini_set()` calls — no cPanel action needed. The entry point sets `HttpOnly`, `SameSite=Lax`, and `Secure` (when on HTTPS) before any session starts.

### 4. Server version header

On shared hosting you typically cannot change `ServerTokens` (it's a server-level directive). The `X-Powered-By` header is stripped by `.htaccess`, but the `Server: Apache/2.4.x` header may still show the full version. This is a low-risk issue on shared hosting since the Apache version is the hosting provider's responsibility.

### 5. SSL/TLS

Use **SSL/TLS** (Home > Security > SSL/TLS) or **AutoSSL** to ensure HTTPS is active. The session cookie `Secure` flag only activates over HTTPS.

## Checklist

- [ ] `.htaccess` deployed (copy `.htaccess.base` if needed, preserve cPanel-generated blocks)
- [ ] `display_errors` = Off in MultiPHP INI Editor
- [ ] `expose_php` = Off in MultiPHP INI Editor
- [ ] `log_errors` = On in MultiPHP INI Editor
- [ ] SSL certificate active
- [ ] `custom/smtp-config.php` exists but is NOT in git (check `.gitignore`)
- [ ] `custom/listmonk-config.php` exists but is NOT in git (check `.gitignore`)
- [ ] `custom/data/` directory writable by web server (`chmod 755` or `775`)
- [ ] `custom/data/.htaccess` present with `Require all denied`