Why isn't my .htaccess change applying?

cPanel's default Apache config allows .htaccess overrides (AllowOverride All) for user accounts. If your changes aren't applying, your host may have disabled overrides — contact support. Also confirm you edited the correct .htaccess (account root, not subdirectory).

Can I add security headers in cPanel without .htaccess?

Yes via Apache vhost include files in WHM, but that requires root WHM access. The .htaccess approach works for any cPanel user without root.

Does ModSecurity interfere with my security headers?

No. ModSecurity inspects requests and responses for attack patterns; it does not modify legitimate response headers. Your add_header / Header directives apply cleanly alongside ModSecurity.

How do I roll back if my CSP breaks the site?

cPanel File Manager has a Restore option on .htaccess if you used the built-in editor. Otherwise, edit .htaccess and comment out the Content-Security-Policy line with #. Test, then refine the CSP rather than removing it entirely.

How to Fix Security Headers in cPanel

cPanel is the most widely-deployed Linux hosting control panel. On cPanel servers, security headers are added via .htaccess at the account level — Apache's mod_headers is enabled by default on every cPanel install. This guide covers every fix our Security Audit raises on a cPanel-hosted site: HTTP security headers via .htaccess, modern TLS via WHM, and publishing security.txt. Tested against cPanel 116 on CloudLinux 8. For raw Apache (cPanel's underlying web server), see the Apache variant; for the full finding catalogue, see Security Audit Fixes.

1. Locate or create .htaccess

Every cPanel account has a public_html directory. The .htaccess file lives at its root. If absent, you can create it from File Manager.

Step 1

Open File Manager

Log into cPanel → Files → File Manager. Navigate to public_html. If .htaccess is not visible, click Settings (top right) and tick Show Hidden Files (dotfiles).

Step 2

Edit or create .htaccess

Right-click .htaccess → Edit. If the file does not exist, click + File at the top, name it .htaccess, then edit.

2. Add the six HTTP security headers

Paste the following block at the top of .htaccess. The IfModule wrapper prevents a 500 error on the rare cPanel server without mod_headers loaded.

Step 1

Paste the directives

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'self'"
</IfModule>

Save the file.

⚠️ Header always set not Header set — the 'always' qualifier applies the header to error responses too, which is when an attacker is probing your server.

💡 cPanel has no built-in syntax validator for .htaccess. Test by visiting your site immediately after saving. A 500 error means a syntax error — re-edit or restore from backup.

3. Configure TLS via WHM

cPanel servers expose TLS configuration through WHM (the root-level admin panel). If you only have cPanel access (not WHM), ask your host to apply these settings.

Step 1

Open WHM Tweak Settings

WHM → Server Configuration → Tweak Settings. In the search box type SSL/TLS Protocols. Set The list of SSL/TLS protocols for cPanel services to TLSv1.2 TLSv1.3. Save.

Step 2

Apache TLS settings

WHM → Service Configuration → Apache Configuration → Global Configuration. Find SSL/TLS Protocols. Set: all -SSLv3 -TLSv1 -TLSv1.1. Save and rebuild config (WHM prompts automatically).

4. Publish security.txt

RFC 9116 standardises the /.well-known/security.txt path. cPanel makes this trivial via File Manager.

Step 1

Create the file

File Manager → public_html → + Folder → name it .well-known. Inside that folder, + File → security.txt. Edit and paste:

Contact: mailto:security@yourdomain.com
Expires: 2027-05-18T00:00:00.000Z
Preferred-Languages: en
Canonical: https://yourdomain.com/.well-known/security.txt

Step 2

Force text/plain

Back in .htaccess, add:

<Files "security.txt">
  ForceType text/plain
</Files>

5. Verify

Test from outside the server:

Step 1

Verify with curl

curl -sI https://yourdomain.com/ | grep -iE "strict-transport|x-frame|x-content|referrer|permissions|content-security"

All six headers should appear. Then re-run the Security Audit for full verification.

🛡 Re-run the audit

Verify every header, TLS protocol and security.txt with a fresh scan.

Run Security Audit →