/ Security Audit Fixes / DirectAdmin

How to Fix Security Headers in DirectAdmin

DirectAdmin is a popular lightweight alternative to cPanel and Plesk. It uses Apache or Apache+nginx via CustomBuild, both of which support security header injection. This guide walks through every fix our Security Audit raises on a DirectAdmin server: HTTP headers via .htaccess (per-account) or CustomBuild custom HTTPD includes (server-wide), TLS via CustomBuild options, and publishing security.txt. Tested against DirectAdmin 1.66 on AlmaLinux 9. For raw Apache configuration, see the Apache variant; for the full finding catalogue, see Security Audit Fixes.

1. Per-account: .htaccess approach

If you only need headers for one or two accounts, the .htaccess approach is fastest.

Step 1
Open File Manager
DirectAdmin user panel โ†’ System Info & Files โ†’ File Manager โ†’ domains/yourdomain.com/public_html. Toggle Show hidden files if .htaccess is invisible.
Step 2
Add the directives
Edit .htaccess and add: 
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'self'"
</IfModule>

2. Server-wide: CustomBuild custom HTTPD config

For a server-wide policy that applies to every domain without editing each .htaccess, use DirectAdmin's CustomBuild custom HTTPD includes. This requires root SSH access.

Step 1
Create the custom include
mkdir -p /usr/local/directadmin/custombuild/custom/ap2/conf/extra
nano /usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-includes.conf
Paste the six Header always set directives (same syntax as the .htaccess version, no IfModule wrapper needed at server level).
Step 2
Rebuild Apache config
cd /usr/local/directadmin/custombuild
./build rewrite_confs
The custom include is now applied to every Apache vhost on the server.
๐Ÿ’ก CustomBuild custom directories survive DirectAdmin updates. Edits to /etc/httpd/conf/ directly are overwritten on next CustomBuild run.

3. Configure TLS via CustomBuild

Step 1
Set TLS protocols in options
cd /usr/local/directadmin/custombuild
./build set http2 yes
./build set tls13 yes
./build rewrite_confs
This enables TLSv1.2 and TLSv1.3, disables older protocols, and switches on HTTP/2.

4. Publish security.txt

Step 1
Create the file
File Manager โ†’ public_html โ†’ create .well-known/security.txt with: 
Contact: mailto:security@yourdomain.com
Expires: 2027-05-18T00:00:00.000Z
Preferred-Languages: en
Canonical: https://yourdomain.com/.well-known/security.txt
Step 2
Force text/plain
In .htaccess: 
<Files "security.txt">
  ForceType text/plain
</Files>

5. Verify

Step 1
Curl test
curl -sI https://yourdomain.com/ | grep -iE "strict-transport|x-frame|x-content|referrer|permissions|content-security"
All six should appear. Re-run the Security Audit.

๐Ÿ›ก Re-run the audit

Verify every header, TLS protocol and security.txt with a fresh scan.

Run Security Audit โ†’
Related Guides: Security Audit Fixes  ยท  Fix in Apache  ยท  Fix in cPanel  ยท  Security Audit Guide
๐Ÿ’ฌ Got a problem?