A+ SSL with HSTS: Your guide to mastering SSL Labs test

We've provided a guide to achieve A+ SSL/TLS rating on SSLLabs.com test - good luck!


Once you've logged into WHM for the server that powers your domain name, each service needs refining.

  1. Apache web server
  2. cPanel/WHM web daemons/services
  3. cPanel web disk service
  4. Mail server (IMAP/POP)
  5. Outbound SMTP server
  6. FTP server

Depending on when you installed cPanel+WHM, you will have different server default settings applied.

We need to firstly make sure SSL is disabled in full, and that only TLS v1.2 and V1.3 are supported.

Search for each component, enter their WHM Configuration page (example below) and change:
eg: WHM > Service Configuration > cPanel Web Services Configuration

  1. Protocols/versions (cPanel): SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
    Protocols/versions (other): all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  2. Cipher suites: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
  3. File ETag: None
  4. SSL stapling: Enabled
  5. Server Signature: Disabled
  6. Server Tokens: Product only

In WHM, go to Home » Service Configuration » Apache Configuration » Include Editor and open the Pre Main Include section for All Versions.

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header always set X-XSS-Protection "1; mode=block;"
Header always set X-Content-Type-Options "nosniff"

Once you've saved the configuration for every service in question (though only Apache is needed to pass SSL Labs, every one is needed to actually improve the server's security), you should receive A+!

If you're keen to expand your cPanel+WHM knowledge and further improve on your server's configuration, we recommend that you certify yourself through the cPanel University at https://university.cpanel.net

  • 30 users found this helpful
Was this answer helpful?

Similar, and hopefully helpful

AutoSSL: How does it work on my Virtual Server (VPS)?

Virtual Server customers enjoy AutoSSL configured by default for all domains, backed by the same...

EV certs: How long do EVs take to be issued by the CA?

Extended Validation (EV) SSL certificates can take anywhere from 5 to 30 days to be issued...

Let's Encrypt: How can I get it working on my Linux VPS?

Self-managed VPS only: You're able to install "certbot" and automate certificate management....

VPS with AutoSSL: Changing from cPanel to Let's Encrypt

This guide is for self-managed VPS customers who wish to change their cPanel AutoSSL provider/CA...

DV certs: I've ordered a new SSL Certificate, what next?

Now that your order is complete, head to my.Merlot to activate the DV SSL certificate via...