We've provided a guide to achieve A+ SSL/TLS rating on SSLLabs.com test - good luck!
Once you've logged into WHM for the server that powers your domain name, each service needs refining.
- Apache web server
- cPanel/WHM web daemons/services
- cPanel web disk service
- Mail server (IMAP/POP)
- Outbound SMTP server
- FTP server
Depending on when you installed cPanel+WHM, you will have different server default settings applied.
We need to firstly make sure SSL is disabled in full, and that only TLS v1.2 and V1.3 are supported.
Search for each component, enter their WHM Configuration page (example below) and change:
eg: WHM > Service Configuration > cPanel Web Services Configuration
- Protocols/versions (cPanel): SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
Protocols/versions (other): all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
- Cipher suites: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
- File ETag: None
- SSL stapling: Enabled
- Server Signature: Disabled
- Server Tokens: Product only
In WHM, go to Home » Service Configuration » Apache Configuration » Include Editor and open the Pre Main Include section for All Versions.
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header always set X-XSS-Protection "1; mode=block;"
Header always set X-Content-Type-Options "nosniff"
Once you've saved the configuration for every service in question (though only Apache is needed to pass SSL Labs, every one is needed to actually improve the server's security), you should receive A+!
If you're keen to expand your cPanel+WHM knowledge and further improve on your server's configuration, we recommend that you certify yourself through the cPanel University at https://university.cpanel.net