Tweak Settings — Security
Valid for versions 124 through the latest version
Last modified: October 16, 2024
Looking for this interface?
Note:
Your hosting provider can enable or disable this interface for resellers in WHM's Edit Reseller Nameservers and Privileges interface (WHM >> Home >> Resellers >> Edit Reseller Nameservers and Privileges).
The Security section includes the following settings:
Setting | Description | Values | Default |
---|---|---|---|
Allow autocomplete for login screens. | This setting specifies whether users can save their cPanel, WHM, and Webmail passwords in the browser’s cache. |
|
On |
Hide login password from cgi scripts | This setting hides the REMOTE_PASSWORD variable from scripts that the cpsrvd daemon’s CGI handler executes.
|
|
Off |
Cookie IP validation | This setting validates IP addresses for cookie-based logins. This denies attackers the ability to capture cPanel session cookies in order to gain access to your server’s cPanel & WHM interfaces.
|
|
strict |
Generate core dumps | This setting specifies whether cPanel & WHM’s services create core dumps. You can use core dumps to debug a service.Core dumps contain sensitive information. Make certain that you keep them secure. |
|
Off |
Send passwords when creating a new account | This setting allows you to send new users their passwords in plaintext over email when you create a new account.We strongly recommend that you do not enable this setting to avoid a security risk. |
|
Off |
Enable File Protect | This setting enables EasyApache 4’s FileProtect option, which improves the security of each user’s public_html directory. |
|
On |
Blank referrer safety check | This setting only permits cPanel & WHM to perform functions when the browser provides a referral URL. Each attempt to submit data to cPanel & WHM must have a referral URL. This helps the system to prevent cross-site request forgery (XSRF) attacks.
Important:
Exercise caution if you enable this setting. This setting can break the system’s integration with other systems, login applications, and billing software.
|
|
Off |
Referrer safety check | This setting only permits cPanel & WHM to perform functions when the browser provides a referral URL that exactly matches the destination URL. Each attempt to submit data to cPanel & WHM must have a referral URL for which the domain or IP address and port number exactly match those of the destination URL. This helps the system to prevent cross-site request forgery (XSRF) attacks.
Important:
Exercise caution if you enable this setting. This setting can break the system’s integration with other systems, login applications, and billing software.
|
|
Off |
Require SSL for cPanel Services | This option forces the server to redirect unencrypted cPanel, Webmail, WHM, and DAV requests to secure ports according to the SSL redirection settings. We strongly recommend that you enable this setting. |
|
On |
Allow PHP to be run when logged in as a reseller to WHM | This setting enables resellers to run PHP code in WHM. WHM’s PHP code runs as the root user. Exercise caution if you enable this setting. |
|
Off |
Allow apps that have not registered with AppConfig to be run when logged in as a reseller to WHM. | This setting allows unregistered AppConfig applications to run when you log in to WHM as a reseller. When you disable this setting, resellers can only run registered AppConfig applications. |
|
Off |
Allow apps that have not registered with AppConfig to be run when logged in as root or a reseller with the “all” ACL in WHM. | This setting allows unregistered AppConfig applications to run when you log in as a root user. When you disable this setting, a root user can only run registered AppConfig applications. |
|
Off |
This setting allows WHM applications and addons to execute even if an ACL list has not been defined. | This setting allows registered AppConfig applications and addons to run without a defined ACL list. When you disable this setting, cPanel & WHM forces registered AppConfig applications and addons to set an ACL list. |
|
Off |
This setting allows cPanel and Webmail applications and addons to execute even if a feature list has not been defined. | This setting allows registered AppConfig cPanel and Webmail apps to run without a defined required features list. When you disable this setting, cPanel & WHM forces registered AppConfig cPanel and Webmail apps to set a Required Features list. |
|
Off |
Use MD5 passwords with Apache | This setting specifies whether the system uses MD5 hashing for new passwords in Apache .htpasswd files. Because Apache .htpasswd files can contain a mix of crypt- and MD5-encoded passwords, this setting does not change the encoding of any existing passwords.MD5-encoded passwords provide more security than crypt-encoded passwords. Crypt only uses the first eight characters of the password for authentication, but the system allows MD5 passwords of length. |
|
On |
EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. | This setting enables the JailManager TailWatch Driver module. JailManager keeps each VirtFS filesystem jail shell in sync with the root filesystem. JailManager also returns the VirtFS filesystem jailed shells to a usable state when the system reboots.
Warning:
This feature is unstable and can result in unintended consequences, including performance and connection issues. Exercise extreme caution if you enable an EXPERIMENTAL feature or setting.
jailshell or noshell experiences the following changes:
|
|
Off |
Signature validation on assets downloaded from cPanel & WHM mirrors. | This setting specifies the type of GnuPG (GPG) key signature file (keyring) that the system uses to verify and sign files that you download from cPanel & WHM httpupdate mirrors.
|
|
Release Keyring Only |
Default SSL/TLS Key Type | This setting lets you specify the system’s default SSL/TLS key type. The system uses the selected key type to generate root ’s SSL/TLS keys. The system also uses this key type when it generates keys for cPanel users who do not specify a preferred SSL/TLS key type in cPanel’s SSL/TLS interface (cPanel » Home » Security » SSL/TLS). For more information about the available key types, read the SSL/TLS Key Types documentation.
Note:
When you update your preferred key type, the system will perform an AutoSSL run. This updates all installed AutoSSL-issued certificates to use the new key type.
|
|
RSA, 2,048-bit |
Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains. | When you create a new domain, cPanel will automatically enable SSL for that domain if an SSL certificate exists. If no SSL certificate exists, this functionality will generate a self-signed certificate.
Important:
|
|
On |
Verify signatures of 3rdparty cPaddons. | This setting verifies all third-party cPAddons’ GPG keys. You can enable this setting if you enable the Signature validation on assets downloaded from cPanel & WHM mirrors setting. This experimental setting does not provide effective security control. |
|
Off |
Allow deprecated WHM accesshash authentication | This setting allows users to authenticate with WHM via an access hash that they create in WHM’s Remote Access Key interface (WHM » Home » Clusters » Remote Access Key). We deprecated WHM’s Remote Access Key feature in cPanel & WHM version 64. We strongly recommend that you use API tokens instead. |
|
Off |
Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd | This setting adds the X-Frame-Options: SAMEORIGIN and X-Content-Type-Options: nosniff headers to cpsrvd responses.
|
|
On |
Enable strict SSH host key checking | This setting configures the server to always verify the host key of remote systems for outgoing SSH connections, such as rsync and SFTP backup, transfers, and remote MySQL® connections. This setting helps defend the server against man-in-the-middle (MITM) attacks. |
|
disabled |
Display a message to reboot the server after essential software updates. | This setting configures the server to display a prompt to reboot the server after it installs an essential software update. If you disable this setting, you must manually reboot the server after essential software updates in order to address security issues. |
|
On |
Enable Content-Security-Policy on some interfaces | This setting enables the Content-Security-Policy (CSP) header on WHM’s Configure Application Locales, Delete a Locale, Locale XML Download, Locale XML Upload, View Available Locales, and Shell Fork Bomb Protection interfaces. This header can help to prevent certain cross-site scripting (XSS) attacks, and it may block JavaScript from external sites when you visit a CSP-enabled interface. |
|
Off |