cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Add X-Frame-Options Cpanel Ports

Denver Prophit Jr. shared this idea 4 years ago
Completed

I just went through a PCI scan Feb 28, 2017. TrustWave was dinging ports 2082, 2083, 2087, 2096 for X-Frame-Options which I think should be a value of Deny. I would like to see this header directive added on those ports for various pages they serve up. The associated forum is https://forums.cpanel.net/threads/x-frame-options-cpanel-ports.594731/

Best Answer
photo

This was added in cPanel & WHM Version 68. In WHM:

Server Configuration > Tweak Settings > Security > ‘Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd’

Read more about it in our 82 docs.

Replies (7)

photo
3

This is definitely something we'd like to consider adding, along with support for all modern HTTP security headers, and it's currently on one of our product backlogs. Once any kind of work starts on that, we'll definitely be back to update here.

photo
3

NICE! Such as HSTS if service SSL has valid CA? That would be nice! =)

photo
2

Our security team requested that we harden then cPanel WHM login page by adding the "x-frame-options sameorigin" header to this page. We opened a support ticket regarding this as it's becoming a requirement on admin login pages, it is not something they can help us with and directed us here to request it as a feature.

photo
1

Our security team requested that we harden then cPanel WHM login page by adding the "x-frame-options sameorigin" header to this page. We opened a support ticket regarding this as it's becoming a requirement on admin login pages, it is not something they can help us with and directed us here to request it as a feature.

photo
1

I would also like this added. Our PCI compliance is failing in this area, and may have to block these ports completely until its resolved.

photo
1

We're in the same boat. This is now causing cPanel servers to fail PCI scans.


Hoping for a timely resolution for this as blocking the cPanel ports is less than ideal.

photo
1

Same here as well, great so this is now a serious issue causing many many people to fail PCI and this thread is the sum of actions that cp are taking i.e. "we'd like to add it"


I have hundreds of cp licences - so this is a headache!


Any updates yet????

photo
1

No updates yet. As soon as there is, I will make sure there's an update here.

photo
1

I know this isn't the best solution, but I thought maybe I could recommend a temporary working? I know it'd be hard to implement for people with many servers, but until cPanel fully implements the headers (I need some myself, that cPanel doesn't currently implement, but not the X-Frame-Options one in particular), would it be possible for cPanel to add some tweak setting where if enabled, access to the various cPanel services (ie, cpanel.domain.com, whm.domain.com, not webmail.domain.com) are only accessible by whitelisted IP addresses? This would allow people to not fail the PCI compliance test. I really would love to see the full header support added and away to customize which ones are set. I fail an audit because of this. I'm not sending the HSTS header on the cpanel service ports. I've tried many things to set it, but have failed with all my attempts.

photo
1

This was added in cPanel & WHM Version 68. In WHM:

Server Configuration > Tweak Settings > Security > ‘Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd’

Read more about it in our 82 docs.

Replies have been locked on this page!