Tag Archives: ssl

Web application security

Below are some security checklist for a web application.

  1. Login screen
    1. to avoid brute force attack, display captcha after 3-5 attempts from same IP
    2. enforce longer password more than 8
  2. Registration (or open form)
    1. display captcha for all form to submit
  3. SSL is a must. free or paid
  4. displaying primary id for table in URL must be avoided, use other ID instead. E.g. a secure id consisting of unique 10 randomized alphanumeric

Installing SSL with WHM cPanel

Steps to install SSL using WHM (web hosting manager)

I’ve done this once, but forgot already. So I’ll keep a note for the installation for future reference.

Will update this post again soon (while I do the installation for the SSL on server).

There is a group of functions for SSL certificate installation that covers the following:

  • Generate an SSL Certificate and Signing Request
  • Install an SSL Certificate and Setup the Domain
  • Manage SSL Hosts
  • Purchase and Install an SSL Certificate
  • SSL Key/Crt Manager

Steps to install

  1. Get the CSR (certificate signing request) in WHM
    1. If not yet generate, go to SSL/TLS > Generate a SSL Certificate & Signing Request
    2. Will get CSR, RSA and certificate
    3. Can also retrieve from SSL/TLS > SSL Key/Crt Manager under “Signing Requests” column for the specified domain
  2. Active the SSL from provider (need to purchase first)
    1. Choose Apache OpenSSL and paste the CSR generated from the server
    2. Verify some email and contact information
    3. Wait for an email after submit request for SSL certificate (this will take quite some time – 5-20 minutes)
    4. Go through a verification to get the certificate (verification code sent with email)
  3. Install SSL certificate in WHM
    1. The rct (certificate got from provider)
    2. RSA generate by server
    3. CA bundle (by provider)

To renew, easiest way is to remove the host first and repeat again as new installation. But site will be down for some time during the process (after remove the host)

Error that might occur is the IP is not dedicated. If this persists, try to change IP in Account Functions > Change Site’s IP Address