You are currently viewing How To Disable Cors Protection On cPanel/WHM Servers

How To Disable Cors Protection On cPanel/WHM Servers

Cross-Origin Resource Sharing (CORS) is a security feature that restricts web browsers from accessing resources (such as APIs or web pages) hosted on different domains than the one currently being accessed. While CORS is essential for web security, there may be instances where developers need to disable or adjust CORS protection on their server to allow legitimate cross-origin requests. In this blog, we’ll guide you through the steps required to disable or modify CORS protection on a cPanel/WHM server.

What is CORS? 

Cross-Origin Resource Sharing (CORS) is a security policy enforced by modern web browsers that regulates access to resources located on a domain other than the one from which the browser is currently loading. For example, if your website at https://example.com wants to request resources (like an API or image) from https://api.example.com, the request is classified as a “cross-origin” request.

By default, browsers block such requests for security reasons, preventing potential Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks. However, if the external server explicitly permits it through specific headers, CORS allows access.

Key HTTP headers that control CORS include:

  • Access-Control-Allow-Origin: Specifies which domains can access resources.
  • Access-Control-Allow-Methods: Specifies which HTTP methods (GET, POST, etc.) are allowed.
  • Access-Control-Allow-Headers: defines which headers are allowed during the actual request.

Why disable CORS?

While CORS serves a vital role in securing web applications, there are instances when you may need to disable or relax CORS restrictions:

  • API Development: During development, developers often run web applications on localhost and need access to external APIs that block cross-origin requests.
  • Third-Party Integration: Some applications or third-party services might need to interact with resources hosted on your server.
  • Internal Applications: If your applications run in a trusted, closed environment (such as an intranet), disabling CORS can simplify interactions between different services.

However, disabling CORS comes with risks, especially when exposing public-facing applications to cross-origin requests. Ensure that security measures, like token-based authentication, are in place to mitigate potential threats.

Prerequisites for Disabling CORS on cPanel/WHM

Before you proceed with disabling or modifying CORS on your cPanel/WHM server, make sure you meet the following requirements:

  1. Root Access: You need root or administrative access to the server, either through SSH or WHM.
  2. Familiarity with Apache or Nginx: Most cPanel/WHM servers run on Apache, though some may be configured with Nginx. Knowledge of how these web servers handle configuration files is essential.
  3. Backup Configuration Files: Always back up important files like .htaccess, httpd.conf, or any virtual host configuration before making any changes.

How to disable Cors Protection on the cPanel/WHM server 

1. Sites using SSL certificates

    Change the code below to add the site’s domain name and the cPanel username. Replace the correct code below.

    nano/etc/apache2/conf.d/userdata/ssl/2_4/cPanel_user_name/domain-name.com/yourinclude.conf

     > cPanel_user_name : Accounts cPanel Username

     >> domain-name.com : The domain name

    2. Inside the new file, enter the below code

    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Max-Age "1000"
    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

    Save and close the file, then issue the below code to rebuild and restart Apache.

     /usr/local/cpanel/scripts/rebuildhttpdconf ; /scripts/restartsrv_httpd --hard

    3. None SSL Sites

    The appropriate location for the included file to be placed if you are not using an SSL for any reason is;

    nano/etc/apache2/conf.d/userdata/std/2_4/cPanel_user_name/domain-name.com/includename.conf

    As suggested above, enter the correct data in place of cPanel_User_name and domain-name.com. Once completed, enter the entire line of code into an SSH console, with the code below pasted inside the file.

    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Max-Age "1000"
    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

    Finally, rebuild and restart Apache.

    /usr/local/cpanel/scripts/rebuildhttpdconf ; /scripts/restartsrv_httpd --hard
    • Core protection is now disabled, allowing any domain name to connect to and use your application’s resources. 
    • As previously stated, this is not a good idea in a production environment; therefore, to only allow one domain name through Cors protection, modify the first line of the code as follows:

    4. Going Further

    In some cases, you may wish to disable Cors protection for all accounts on the server. You can achieve this by placing your include.conf file in the below location. This will disable Cors protection for all SSL and non-SSL domain names on the Linux VPS Server.

     /etc/apache2/conf.d/userdata/your_include_file.conf

    Always perform a rebuild and reboot after you modify Apache.

    /usr/local/cpanel/scripts/rebuildhttpdconf ; /scripts/restartsrv_httpd --hard

    Benefits of working with CROS

    • Enhanced API security: CORS helps protect against malicious applications attempting to make unauthorized cross-origin requests to sensitive resources on other domains. By relaxing the same-origin policy (SOP) and requiring explicit permission through CORS headers, it mitigates the risk of cross-site request forgery (CSRF) and unauthorized data access.
    • Cross-origin authentication: CORS facilitates secure cross-origin authentication by allowing the transmission of credentials, such as cookies or authentication tokens, in cross-origin requests. This is crucial for Single Sign-On (SSO) and other authentication systems.
    • Standardization: CORS is a standardized mechanism supported by all major web browsers. Its consistent implementation across browsers provides a reliable approach to managing cross-origin requests.
    • API integration: CORS is vital for web application integration with external APIs, allowing developers to incorporate third-party functionalities into their services seamlessly.

    cPanel Server Management Services with SupportFly

    Here’s What We Offer Under Our cPanel Server Management Services

    SupportFly’s expert and certified team members are available 24×7 to provide support, solutions, and consulting services for cPanel server support and cloud infrastructure management.

    • Installation and Setup Services: We ensure that all configurations are optimized for your specific needs, providing a solid foundation for your hosting environment.
    • Server Migration: Our experts manage the entire migration process to minimize downtime and ensure a smooth transition.
    • Server Security Audit: Our team implements necessary measures to enhance server security and protect your data from threats.
    • Server Optimization: We fine-tune server settings, optimize resource allocation, and implement caching mechanisms to enhance website loading speeds and overall server performance.
    • Hacking Prevention: Our team continuously monitors server activity, detects suspicious behaviour, and implements security protocols to safeguard your data.
    • Disk space clean-up: Our experts identify and delete unused or temporary files, freeing up disk space and improving server performance.
    • Backup notifications: Our system sends regular notifications to ensure you’re aware of backup completion and any potential issues that may arise.
    • Blacklist Monitoring: Our team proactively monitors blacklists and takes necessary actions to remove your server from blacklists, minimizing email delivery issues.
    • Security checkups: Our experts identify security gaps, apply necessary patches and updates, and implement additional security measures to protect your server from emerging threats.

    Conclusion 

    Disabling or modifying CORS protection on a cPanel/WHM server can be a straightforward process, especially when using methods like editing .htaccess or updating Apache configuration files. However, this comes with potential security risks that should not be overlooked.

    By following the steps outlined in this guide and implementing strong security measures, you can ensure that cross-origin requests are handled safely and efficiently. Always balance the flexibility of cross-origin access with the necessary security precautions to protect your server and its resources.

    FAQs

    Q1. What is the main purpose of CORS?

    The primary purpose of Cross-Origin Resource Sharing (CORS) is to enhance security by controlling how web browsers interact with resources hosted on different domains. It prevents unauthorized cross-origin requests, protecting against potential attacks such as Cross-Site Request Forgery (CSRF) and unauthorized data access. CORS allows servers to specify which domains are permitted to access resources, maintaining a balance between security and flexibility.

    Q2. Can I re-enable CORS after disabling it?

    Yes, you can easily re-enable CORS after disabling it. This is typically done by modifying the relevant server configuration, such as the .htaccess file or Apache/Nginx configuration, to restore the necessary CORS headers. You can also fine-tune the settings to allow specific domains or methods instead of completely disabling the policy.

    Q3. How do I know if my changes were successful?

    To verify if CORS has been disabled or modified successfully, test your server using browser developer tools or a tool like Postman. You should try making a cross-origin request to see if it’s permitted without any errors. If successful, you’ll no longer see CORS-related errors in the browser console, such as “Blocked by CORS policy.”

    Q4. Are there alternatives to disabling CORS?

    Yes, instead of fully disabling CORS, you can selectively allow trusted domains by adjusting the Access-Control-Allow-Origin header. This way, you maintain security while granting access to specific cross-origin requests. You can also implement server-side proxies to handle cross-origin requests securely.

    Q5. What should I do if I encounter issues?

    If you face issues after modifying CORS settings, check the server logs for errors and ensure the configuration changes were applied correctly. If needed, review the syntax of the headers and consult documentation or support forums for troubleshooting guidance.