stopplidelsen/innhold
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
innhold/docs/security-cpanel.md
Ruben 3b04a3d78c Add security hardening for shared hosting environments 
Improve session cookie security with HttpOnly and SameSite attributes
Add security headers via .htaccess
Block direct access to sensitive files
Restrict allowed HTTP methods
Document cPanel-specific security configuration
Add container hardening for ServerTokens and ServerSignature
2026-02-10 23:02:57 +01:00

56 lines
2.6 KiB
Markdown
Raw Permalink Blame History

# Security Hardening — cPanel Shared Hosting
The container dev environment (Containerfile + apache.conf) handles most hardening automatically. On cPanel shared hosting, some settings must be configured manually since you don't control the Apache or PHP config directly.
## What's handled by .htaccess (works everywhere)
These are applied automatically via `content/.htaccess` (synced from `.htaccess.base`):
- Block direct access to `.ini`, `.md`, `.html`, `.php` content files
- Security headers: `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`
- Strip `X-Powered-By` header
- Restrict HTTP methods to GET/POST/HEAD
- Rewrite rules routing all requests through `index.php`
The `custom/.htaccess` and `custom/data/.htaccess` files also deploy automatically and block direct access to config files and data.
## What needs manual cPanel configuration
### 1. Disable display_errors
Go to **MultiPHP INI Editor** (Home > Software > MultiPHP INI Editor):
- Select the domain
- Set `display_errors` = **Off**
- Set `log_errors` = **On**
- Set `expose_php` = **Off**
This prevents PHP errors from leaking server paths and internal details to visitors.
### 2. PHP version
Use **MultiPHP Manager** to ensure PHP 8.4+ is selected for the domain.
### 3. Session cookie hardening
Handled in `content/index.php` via `ini_set()` calls — no cPanel action needed. The entry point sets `HttpOnly`, `SameSite=Lax`, and `Secure` (when on HTTPS) before any session starts.
### 4. Server version header
On shared hosting you typically cannot change `ServerTokens` (it's a server-level directive). The `X-Powered-By` header is stripped by `.htaccess`, but the `Server: Apache/2.4.x` header may still show the full version. This is a low-risk issue on shared hosting since the Apache version is the hosting provider's responsibility.
### 5. SSL/TLS
Use **SSL/TLS** (Home > Security > SSL/TLS) or **AutoSSL** to ensure HTTPS is active. The session cookie `Secure` flag only activates over HTTPS.
## Checklist
- [ ] `.htaccess` deployed (copy `.htaccess.base` if needed, preserve cPanel-generated blocks)
- [ ] `display_errors` = Off in MultiPHP INI Editor
- [ ] `expose_php` = Off in MultiPHP INI Editor
- [ ] `log_errors` = On in MultiPHP INI Editor
- [ ] SSL certificate active
- [ ] `custom/smtp-config.php` exists but is NOT in git (check `.gitignore`)
- [ ] `custom/listmonk-config.php` exists but is NOT in git (check `.gitignore`)
- [ ] `custom/data/` directory writable by web server (`chmod 755` or `775`)
- [ ] `custom/data/.htaccess` present with `Require all denied`
Reference in a new issue View git blame Copy permalink