stopplidelsen/innhold
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
innhold/docs/security-cpanel.md
Ruben 3b04a3d78c Add security hardening for shared hosting environments 
Improve session cookie security with HttpOnly and SameSite attributes
Add security headers via .htaccess
Block direct access to sensitive files
Restrict allowed HTTP methods
Document cPanel-specific security configuration
Add container hardening for ServerTokens and ServerSignature
2026-02-10 23:02:57 +01:00

2.6 KiB
Raw Blame History

Security Hardening — cPanel Shared Hosting

The container dev environment (Containerfile + apache.conf) handles most hardening automatically. On cPanel shared hosting, some settings must be configured manually since you don't control the Apache or PHP config directly.

What's handled by .htaccess (works everywhere)

These are applied automatically via content/.htaccess (synced from .htaccess.base):

  • Block direct access to .ini, .md, .html, .php content files
  • Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
  • Strip X-Powered-By header
  • Restrict HTTP methods to GET/POST/HEAD
  • Rewrite rules routing all requests through index.php

The custom/.htaccess and custom/data/.htaccess files also deploy automatically and block direct access to config files and data.

What needs manual cPanel configuration

1. Disable display_errors

Go to MultiPHP INI Editor (Home > Software > MultiPHP INI Editor):

  • Select the domain
  • Set display_errors = Off
  • Set log_errors = On
  • Set expose_php = Off

This prevents PHP errors from leaking server paths and internal details to visitors.

2. PHP version

Use MultiPHP Manager to ensure PHP 8.4+ is selected for the domain.

3. Session cookie hardening

Handled in content/index.php via ini_set() calls — no cPanel action needed. The entry point sets HttpOnly, SameSite=Lax, and Secure (when on HTTPS) before any session starts.

4. Server version header

On shared hosting you typically cannot change ServerTokens (it's a server-level directive). The X-Powered-By header is stripped by .htaccess, but the Server: Apache/2.4.x header may still show the full version. This is a low-risk issue on shared hosting since the Apache version is the hosting provider's responsibility.

5. SSL/TLS

Use SSL/TLS (Home > Security > SSL/TLS) or AutoSSL to ensure HTTPS is active. The session cookie Secure flag only activates over HTTPS.

Checklist

  • .htaccess deployed (copy .htaccess.base if needed, preserve cPanel-generated blocks)
  • display_errors = Off in MultiPHP INI Editor
  • expose_php = Off in MultiPHP INI Editor
  • log_errors = On in MultiPHP INI Editor
  • SSL certificate active
  • custom/smtp-config.php exists but is NOT in git (check .gitignore)
  • custom/listmonk-config.php exists but is NOT in git (check .gitignore)
  • custom/data/ directory writable by web server (chmod 755 or 775)
  • custom/data/.htaccess present with Require all denied