Tweak Settings — Security

Valid for version 116

Version:

110

112

116

118

120

124

Last modified: October 10, 2024


Looking for this interface?
Note:

Your hosting provider can enable or disable this interface for resellers in WHM's Edit Reseller Nameservers and Privileges interface (WHM >> Home >> Resellers >> Edit Reseller Nameservers and Privileges).

The Security section includes the following settings:

Setting Description Values Default
Allow autocomplete for login screens. This setting specifies whether users can save their cPanel, WHM, and Webmail passwords in the browser’s cache.
  • On — Users can save to the browser’s cache.
  • Off — Users can’t save to the browser’s cache.
On
Hide login password from cgi scripts This setting hides the REMOTE_PASSWORD variable from scripts that the cpsrvd daemon’s CGI handler executes.
  • This setting does not hide the REMOTE_PASSWORD variable from phpMyAdmin.
  • cPanel’s CGI Center interface (cPanel » Home » Software and Services » CGI Center) only exists in cPanel’s removed x3 theme. You cannot create new CGI scripts with cPanel’s current theme (Jupiter), and we strongly discourage the use of the x3 theme.
  • On — Hide.
  • Off — Don’t hide.
Off
Cookie IP validation This setting validates IP addresses for cookie-based logins. This denies attackers the ability to capture cPanel session cookies in order to gain access to your server’s cPanel & WHM interfaces.
  • For this setting to have most effectiveness, you should disable the Service subdomains setting.
  • disabled — The system does not validate IP addresses.
  • loose — The system requires that the access IP address and the cookie IP address must be in the same class C subnet.
  • strict — The system requires that the access IP address and the cookie IP address match exactly.
strict
Generate core dumps This setting specifies whether cPanel & WHM’s services create core dumps. You can use core dumps to debug a service.
Core dumps contain sensitive information. Make certain that you keep them secure.
  • On — Create.
  • Off — Don’t create.
Off
Send passwords when creating a new account This setting allows you to send new users their passwords in plaintext over email when you create a new account.
We strongly recommend that you do not enable this setting to avoid a security risk.
  • On — Send in plaintext.
  • Off — Don’t send in plaintext.
Off
Enable File Protect This setting enables EasyApache 4’s FileProtect option, which improves the security of each user’s public_html directory.
  • On — Enable.
  • Off — Disable.
On
Blank referrer safety check This setting only permits cPanel & WHM to perform functions when the browser provides a referral URL. Each attempt to submit data to cPanel & WHM must have a referral URL. This helps the system to prevent cross-site request forgery (XSRF) attacks.
  • The visitor or application that queries the server must enable cookies for this setting to function.
Important:
Exercise caution if you enable this setting. This setting can break the system’s integration with other systems, login applications, and billing software.
  • On — Require a referral URL.
  • Off — Don’t require a referral URL.
Off
Referrer safety check This setting only permits cPanel & WHM to perform functions when the browser provides a referral URL that exactly matches the destination URL. Each attempt to submit data to cPanel & WHM must have a referral URL for which the domain or IP address and port number exactly match those of the destination URL. This helps the system to prevent cross-site request forgery (XSRF) attacks.
  • The visitor or application that queries the server must enable cookies for this setting to function.
Important:
Exercise caution if you enable this setting. This setting can break the system’s integration with other systems, login applications, and billing software.
  • On — Require a referral URL.
  • Off — Don’t require a referral URL.
Off
Require SSL for cPanel Services This option forces the server to redirect unencrypted cPanel, Webmail, WHM, and DAV requests to secure ports according to the SSL redirection settings. We strongly recommend that you enable this setting.
  • On — Require encryption.
  • Off — Don’t require encryption.
On
Allow PHP to be run when logged in as a reseller to WHM This setting enables resellers to run PHP code in WHM. WHM’s PHP code runs as the root user. Exercise caution if you enable this setting.
  • On — Enable.
  • Off — Disable.
Off
Allow apps that have not registered with AppConfig to be run when logged in as a reseller to WHM. This setting allows unregistered AppConfig applications to run when you log in to WHM as a reseller. When you disable this setting, resellers can only run registered AppConfig applications.
  • On — Enable.
  • Off — Disable.
Off
Allow apps that have not registered with AppConfig to be run when logged in as root or a reseller with the “all” ACL in WHM. This setting allows unregistered AppConfig applications to run when you log in as a root user. When you disable this setting, a root user can only run registered AppConfig applications.
  • On — Enable.
  • Off — Disable.
Off
This setting allows WHM applications and addons to execute even if an ACL list has not been defined. This setting allows registered AppConfig applications and addons to run without a defined ACL list. When you disable this setting, cPanel & WHM forces registered AppConfig applications and addons to set an ACL list.
  • On — Enable.
  • Off — Disable.
Off
This setting allows cPanel and Webmail applications and addons to execute even if a feature list has not been defined. This setting allows registered AppConfig cPanel and Webmail apps to run without a defined required features list. When you disable this setting, cPanel & WHM forces registered AppConfig cPanel and Webmail apps to set a Required Features list.
  • On — Enable.
  • Off — Disable.
Off
Use MD5 passwords with Apache This setting specifies whether the system uses MD5 hashing for new passwords in Apache .htpasswd files. Because Apache .htpasswd files can contain a mix of crypt- and MD5-encoded passwords, this setting does not change the encoding of any existing passwords.

MD5-encoded passwords provide more security than crypt-encoded passwords. Crypt only uses the first eight characters of the password for authentication, but the system allows MD5 passwords of length.
  • On — Enable.
  • Off — Disable. When you disable this option, Apache uses crypt hashing.
On
EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. This setting enables the JailManager TailWatch Driver module. JailManager keeps each VirtFS filesystem jail shell in sync with the root filesystem. JailManager also returns the VirtFS filesystem jailed shells to a usable state when the system reboots.
Warning:
This feature is unstable and can result in unintended consequences, including performance and connection issues. Exercise extreme caution if you enable an EXPERIMENTAL feature or setting.
  • These features may not function with other features or settings.
  • These features do not provide current and effective security controls.
  • EXPERIMENTAL features do not qualify for our security bounty.
  • For more information about an EXPERIMENTAL feature’s compatibility, read our Change Logs documentation.
You do not need to enable or disable JailManager in the Service Manager interface (WHM » Home » Service Configuration » Service Manager) because this setting controls the module’s state.
  • The mod_ruid2 module uses the chroot command on Apache virtual hosts if you enable this setting. This action runs Apache virtual hosts in an environment with an altered root directory.
  • You can use this setting when you compile Apache through EasyApache and you have installed mod_ruid2 version 0.9.4a or later.
  • You can use this setting on AlmaLinux OS, Rocky Linux™, or Ubuntu® servers. The CloudLinux™ operating system does not support the mod_ruid2 module.
When you enable this option, each user with a configured jailshell or noshell experiences the following changes:
  • The chroot command jails the user’s Apache Virtual Hosts into the /home/virtfs directory.
  • The system adds the RDocumentChRoot directive to the user’s Virtual Host.
  • The system limits the user’s filesystem view to their /home/virtfs/username filesystem. Various jail shell-related options control the /home/virtfs/username filesystem configuration.
  • On — Enable.
  • Off — Disable.
Off
Signature validation on assets downloaded from cPanel & WHM mirrors. This setting specifies the type of GnuPG (GPG) key signature file (keyring) that the system uses to verify and sign files that you download from cPanel & WHM httpupdate mirrors.
  • For more information about these GPG keys, read our Download Security documentation.
  • This setting does not provide effective security control.
    • Off — The system does not validate any digital signatures.
    • Release Keyring Only — The system uses the Release GPG keyring to validate official release downloads from cPanel & WHM httpupdate mirrors.
    • Release and Development Keyrings — The system uses the Release and Development GPG keyrings to validate test and development release downloads from cPanel & WHM httpupdate mirrors.
    Release Keyring Only
    Default SSL/TLS Key Type This setting lets you specify the system’s default SSL/TLS key type. The system uses the selected key type to generate root’s SSL/TLS keys. The system also uses this key type when it generates keys for cPanel users who do not specify a preferred SSL/TLS key type in cPanel’s SSL/TLS interface (cPanel » Home » Security » SSL/TLS). For more information about the available key types, read the SSL/TLS Key Types documentation.
    Note:
    When you update your preferred key type, the system will perform an AutoSSL run. This updates all installed AutoSSL-issued certificates to use the new key type.
    • RSA, 2,048-bit
    • ECDSA, P-384 (secp384r1)
    • ECDSA, P-256 (prime256v1)
    • RSA, 4,096-bit
    RSA, 2,048-bit
    Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains. When you create a new domain, cPanel will automatically enable SSL for that domain if an SSL certificate exists. If no SSL certificate exists, this functionality will generate a self-signed certificate.
    Important:
    • We strongly recommend that you enable AutoSSL.
    • If you disable this option, and a CA-signed certificate is not available, when a user attempts to visit the newly created domain over HTTPS, the user will see the first SSL certificate installed on that IP address.
    • If you have not enabled a CA-signed certificate or AutoSSL, Google search results may point to the SSL site version with a self-signed certificate. Self-signed certificates generate browser warnings.
    • On — Enable.
    • Off — Disable.
    On
    Verify signatures of 3rdparty cPaddons. This setting verifies all third-party cPAddons’ GPG keys. You can enable this setting if you enable the Signature validation on assets downloaded from cPanel & WHM mirrors setting. This experimental setting does not provide effective security control.
    • On — Enable.
    • Off — Disable.
    Off
    Allow deprecated WHM accesshash authentication This setting allows users to authenticate with WHM via an access hash that they create in WHM’s Remote Access Key interface (WHM » Home » Clusters » Remote Access Key). We deprecated WHM’s Remote Access Key feature in cPanel & WHM version 64. We strongly recommend that you use API tokens instead.
    • On — Enable.
    • Off — Disable.
    Off
    Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd This setting adds the X-Frame-Options: SAMEORIGIN and X-Content-Type-Options: nosniff headers to cpsrvd responses.
    • This setting only controls header directives for cPanel & WHM service ports 2082, 2083, 2086, 2087, 2095, and 2096.
    • For more information about X-Frame-Options, read Mozilla’s X-Frame-Options documentation.
    • For more information about X-Content-Type-Options, read Mozilla’s X-Content-Type-Options documentation.
    • On — Enable.
    • Off — Disable.
    On
    Enable strict SSH host key checking This setting configures the server to always verify the host key of remote systems for outgoing SSH connections, such as rsync and SFTP backup, transfers, and remote MySQL® connections. This setting helps defend the server against man-in-the-middle (MITM) attacks.
    • disabled — Do not require that the server verifies the host key of remote systems for outgoing SSH connections.
    • enabled — Require that the server verifies the host key of all remote systems for outgoing SSH connections. If you select enabled, you must add a host key for each remote system to the /etc/ssh/ssh_known_hosts file.
    • dns — If the remote system contains SSHFP records in a DNSSEC-signed zone and the local system uses EDNS0 resolving, the local system uses the SSHFP records to verify the remote system. Otherwise, the system uses the enabled setting’s behavior. If you select dns, you must perform the following actions and meet the following conditions:
      • You must add a host key for each remote system to the /etc/ssh/ssh_known_hosts file if either of the following conditions is true:
        • The remote system does not contain SSHFP records in a DNSSEC-signed zone.
        • The local system does not use EDNS0 resolving.
      • You must use the remote system’s hostname instead of the IP address in all relevant interfaces.
      • The remote system’s hostname must exist in a DNSSEC-signed zone.
      • The server’s resolvers in the /etc/resolv.conf file must be DNSSEC-aware (for example, BIND, PowerDNS, and Google Public DNS nameservers).
      • The remote system’s resolvers must use EDNS0 resolving. To confirm this, locate the options edns0 option in the /etc/resolv.conf file.
      • For AlmaLinux and Rocky Linux servers, the server that makes the connection must possess SSHFP records with the SHA-1 (algorithm 1) or SHA-256 (algorithm 2) encryption algorithms.
    disabled
    Display a message to reboot the server after essential software updates. This setting configures the server to display a prompt to reboot the server after it installs an essential software update. If you disable this setting, you must manually reboot the server after essential software updates in order to address security issues.
    • On — Enable.
    • Off — Disable.
    On
    Enable Content-Security-Policy on some interfaces This setting enables the Content-Security-Policy (CSP) header on WHM’s Configure Application Locales, Delete a Locale, Locale XML Download, Locale XML Upload, View Available Locales, and Shell Fork Bomb Protection interfaces. This header can help to prevent certain cross-site scripting (XSS) attacks, and it may block JavaScript from external sites when you visit a CSP-enabled interface.
    • On — Enable.
    • Off — Disable.
    Off