What is a security token?
“Security token” URLs were added in cPanel & WHM 11.25 as a security measure, and they were enabled by default in version 11.28. They help combat a common type of attack called a Cross-Site Request Forgery (XSRF).
So, what does a “security token” look like? Take, for example, this URL:
https://example.com:2087/i/love/cpanel
With security tokens enabled, this would become:
https://example.com:2087/cpsessYYYYYYY/i/love/cpanel
In that example, cpsessYYYYYYY is the token unique to that logged-in user on that browser. (You can learn more about security tokens in cPanel & WHM by reading our Security Tokens white paper.) In order for your custom script to work with cPanel & WHM, every URL involved needs to be compatible with the security token.
Creating security token-compatible URLs
Fortunately, it is very easy to do!
The token is available in the environment variable ‘cp_security_token’.
If security tokens are not in use, ‘cp_security_token’ will be an empty string.
If security tokens are in use, ‘cp_security_token’ will be, in terms of the above example: /cpsessYYYYYYY
Note the preceding slash! Since the variable has that slash, the examples will work whether cPanel & WHM has security tokens enabled or disabled.
- Here’s how you’d use it in Perl code that calls one of our API URLS.
Simply change this:my $APIurl = "http://127.0.0.1:2087/xml-api/$url";to this:
my $APIurl = "http://127.0.0.1:2087$ENV{'cp_security_token'}/xml-api/$url"; - Here’s how you might use it in JavaScript for, say, an AJAX call.
First, make it available to your JavaScript. For example:print <<"END_SECURITY_TOKEN_JAVASCRIPT";if ( !("CPANEL" in window) ) CPANEL = {};
CPANEL.security_token = "$ENV{'cp_security_token'}";END_SECURITY_TOKEN_JAVASCRIPT
Next, make your URLs compatible by changing this:
var ajaxURL = '/3rdparty/ZZZ/zzz.cgi';to this:
var ajaxURL = CPANEL.security_token + '/3rdparty/ZZZ/zzz.cgi';
