Technically Speaking

The Official Bigstep Blog


How to Configure the Best TLS Settings in WHM: From A to A+

The COVID-19 pandemic forced organizations worldwide to turn to a work-from-home policy for the safety of their employees and the world at large. Keeping your website secure and your traffic encrypted during these times is crucial. Read our blog post to find out how to configure the optimal SSL/TLS encryption settings in WHM.

Enforcing the optimal SSL/TLS settings is a crucial task for a system administrator, since it influences not only website security but also the ranking on search engines such as Google. WHM offers by default quite strong security settings that are good enough for most use cases. However, it is possible to harden them even further and take advantage of the latest encryption features, in order to keep your domains as secure as possible.

First of all, let’s have a look at the default Apache settings in WHM. If you navigate to the Home » Service Configuration » Apache Configuration » Global Configuration menu, you will find these defaults:

Let’s test them using Qualys SSL Labs website, which is the most comprehensive free test available at the moment. The result is an overall rating of A, which is pretty good.

However, it is possible to improve this rating further, and get the maximum of A+. Let’s see how to accomplish that.

We will start by enabling TLS 1.3, which was added in version 86 of WHM. From the Apache configuration menu, edit the default SSL/TLS Protocols settings and add TLSv1.3. We recommend keeping TLS 1.2 active as well, for better compatibility with some older browsers. To achieve this, we need to disable all older protocols by adding this line: All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1.

Save your changes, rebuild configuration and restart Apache. Repeating the test at this stage will result in the same rating (A), but the TLS 1.3 support will be duly noted.

One more change is required for an A+ rating. In WHM, go to Home » Service Configuration » Apache Configuration » Include Editor and open the Pre Main Include section for All Versions.

Paste these three lines in the editor, then click on Update:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header always set X-XSS-Protection "1; mode=block;"
Header always set X-Content-Type-Options "nosniff"

Click on Restart Apache in the next window, then repeat the Qualys test.

Congratulations, your server now gets the maximum A+ encryption rating!

About the author

Dragos Baldescu is a Level 2 Technical Support Engineer at Bigstep, passionate about Linux and testing out new technologies and solutions.

Got a question? Need advice? We're just one click away.
Sharing is caring:TwitterFacebookLinkedinPinterestEmail

Readers also enjoyed:

Using lsapi in WHM

An update for EasyApache 4 released in early February has introduced a version of mod_lsapi that can be installed by all WHM users. This high-performance…

What's New in Cybersecurity & How to Keep Your Servers Secure

The more digitized we become, the more hacking and malware become more sophisticated. From consumer to enterprise and to government, attacks are on the…

Leave a Reply

Your email address will not be published.

* Required fields to post your comments.
Please review our Privacy Notice in order to understand how we process your personal data and what are your rights in this respect.