What is a security token?

“Security token” URLs were added in cPanel & WHM 11.25 as a security measure, and they were enabled by default in version 11.28. They help combat a common type of attack called a Cross-Site Request Forgery (XSRF).

So, what does a “security token” look like? Take, for example, this URL:

https://example.com:2087/i/love/cpanel

With security tokens enabled, this would become:

https://example.com:2087/cpsessYYYYYYY/i/love/cpanel

In that example, cpsessYYYYYYY is the token unique to that logged-in user on that browser.

 (You can learn more about security tokens in cPanel & WHM by reading our Security Tokens white paper.)

In order for your custom script to work with cPanel & WHM, every URL involved needs to be compatible with the security token. 

Creating security token-compatible URLs

Fortunately, it is very easy to do! 

The token is available in the environment variable 'cp_security_token'.

If security tokens are not in use, 'cp_security_token' will be an empty string.

If security tokens are in use, 'cp_security_token' will be, in terms of the above example: /cpsessYYYYYYY

Note the preceding slash!  Since the variable has that slash, the examples will work whether cPanel & WHM has security tokens enabled or disabled.

• Here's how you'd use it in Perl code that calls one of our API URLS.
  

  Simply change this:

  my $APIurl = "http://127.0.0.1:2087/xml-api/$url";

  to this:

  my $APIurl = "http://127.0.0.1:2087$ENV{'cp_security_token'}/xml-api/$url";

• Here's how you might use it in JavaScript for, say, an AJAX call.
  

  First, make it available to your JavaScript. For example:

  
    print <<"END_SECURITY_TOKEN_JAVASCRIPT"; 
<script type="text/javascript">
    if ( !("CPANEL" in window) ) CPANEL = {};
    CPANEL.security_token = "$ENV{'cp_security_token'}";
</script>
END_SECURITY_TOKEN_JAVASCRIPT

  
  Next, make your URLs compatible by changing this:

var ajaxURL = '/3rdparty/ZZZ/zzz.cgi';

to this:

var ajaxURL = CPANEL.security_token + '/3rdparty/ZZZ/zzz.cgi';

Currently, if you want to write a Plugin for cPanel, you can write it in either LivePHP or cPPHP. Last year, we put some major effort into refactoring LivePHP. We added better debugging information, optimized the socket communication protocol, and added a few other tweaks. After a year of vetting by external developers, I can say with confidence: there is no longer any reason to use cPPHP when developing your application.

As a developer, it is important to understand who you are developing for. When developing an application for cPanel & WHM servers, there are 5 potential customer profiles to be aware of: 

• Data centers 
• Developers 
• Website owners 
• System administrators 
• Hosting providers 

Understanding these profiles will help you scope and define a project. 

In this article, we will focus on Data centers and the various problems you might encounter when working with them. 

In cPanel & WHM 11.30, we added the ability to add 3rd party systems to your DNS cluster. With this ability, we added functionality that allows you to create dnsadmin plugins. You can use these plugins to control and configure remote nodes of your DNS cluster.  The plugins themselves consist of a few Perl modules. Creating a dnsadmin plugin will require some familiarity with Perl.

To begin building a dnsadmin plugin, please read the documentation.

Announcement:

With the release of Enkompass 2.0 on Tuesday, several exciting new integration features are now available.

XML API for Enkompass - Crafted to be familiar to our existing cPanel XML API users. We provide comparable functionality. Extensions to the API for the Enkompass specific functionally.

XML API Developer Page - Try out the API calls from the developer page access in System Administration Interface (SAI) by logging in with your account and using this link:

http://<your Enkompass server>:2086/API/xml-api/

These developer pages include complete self-documentation for this API as well as test pages for each available function.

Remote Access Keys - A new interface for configuring remote access keys for XML API authentication have been added to the System Administration Interface. To access this tool, type "remote access" in the find box of the System Administration Interface. Remote access keys can be setup for any account in Enkompass. These keys have an added security feature, you can set a start and end date for the key allowing you to provide limited time access to the XML API.

Hooks for the Enkompass API - We designed a framework for intercepting pre and post API calls to the Enkompass Core services. The framework we developed comes with two out of the box solutions: Command Hooks and URL Hooks. If these implementations do not meet your needs, the framework was designed with extensibility in mind. For more information check out the documentation at:

http://go.cPanel.net/enkwcfhooks

Coming Soon:

The Enkompass team is hard at work building the Addin interface for the Enkompass applications. With the Addin system, third party tools designed to work with Enkompass can be added to the System Administration Interface, Web Site Owner Interface, and Mail Owner Interface. I'll have more information on this soon.

We are pleased to announce that our PublicAPI PHP client is ready! This API query client is the sibling to Cpanel::PublicAPI that was announced last month.

You can download the PublicAPI PHP client at our github repository as well as the new cPanel PEAR channel.

One of the key distinctions of the PublicAPI PHP client class is that it's distributed as part of the cPanel PHP Library. The cPanel PHP library is a collection of PHP classes for interfacing with cPanel systems.

Application Programming Interfaces (APIs) are fundamental to the cPanel & WHM product. APIs allow developers to perform actions (functions) that source and manipulate data related to cPanel accounts and system utilities. Our APIs are used by the cPanel developers when designing new features and interfaces but are also available to 3rd-party developers. In this post, we'll review the various APIs associated with cPanel and WHM and how you can use them in your own development.

Today I posted cPanel::PublicAPI to github. &nbsp;This is a set of perl modules that allows for easy access into cPanel's APIs from a simple object interface. &nbsp;This module offers several great features:

*  Auto-detection of credentials (when available)

*  Support for cPanel's DNS Clustering API

*  Support for: cPanel, WHM, webmail and non-cPanel services.

*  Minimal dependencies

*  BSD Licensed

To get started, you can install cPanel::PublicAPI via CPAN the source is also available on our github repository if you wish to submit patches/changes. I strongly suggest reading the documentation on CPAN to get started.

The release of cPanel & WHM version 11.30 in EDGE is right around the corner. With this release we have made numerous changes, added a few features and fixed some bugs. Predominantly, these changes can be encompassed in a few bullet points: 

• Complete rewrite of update system
• Addition of Cpanel::PublicAPI
• Removal of Legacy Themes
• Several new API calls

Though each of these changes may seem small when listed as bullet points, there are a few details that you, as someone who customizes or integrates with cPanel & WHM should be aware of.

A while back, Matt Dees blogged about our upcoming change to LivePHP in 11.28. Specifically, he mentions the use of JSON. In this article I will illustrate, in brief, why this change was made. The decision process, as you'll see, wasn't exactly straight forward, but a solid compromise.

 With version 11.28 of cPanel & WHM making it's way into the production update tiers, now is a great time to discuss your application testing strategies. It's every developer's responsibility to test and verify their applications within their actual deployment environments. cPanel & WHM is a constantly evolving product. With each new version we aim to improve not only the end user experience, but also its suitability as a platform for your applications. We work hard to maintain a stable and consistent application platform, but sometimes changes for the better will require an additional effort from developers. We want to ensure that those changes happen before our customers and your end users notice a problem.

Have you heard of a development license? cPanel offers a product license especially for cPanel & WHM application developers. You don't have to sign your life away or give up your trade secrets to qualify. We really just want you to work to extend the functionality of cPanel & WHM to meet your needs. One of the great things about the development license is that it allows you to have multiple environments to test your application. The only cost to you is in the hardware and connectivity. There are limitations of course, but they are very reasonable. You cannot use a development license to host paid accounts. There's also a small banner displaying that the server is running a development license in the cPanel & WHM interfaces. To apply for this license visit the Developer’s License Application page and answer a few simple questions. Once we have ensured the validity of your request, we will gladly provide you with a development license.

When testing your application, you should verify it against both production and development versions of cPanel & WHM. If you are unfamiliar with how the product is published then visit our page describing the cPanel & WHM versions and release process. In short, our EDGE releases represent the "cutting edge" version of the product and STABLE releases are our long-term support releases. If you notice a problem in any version then please contact us through oursupport system. We give developers high priority here at cPanel, and we will try to resolve your issue or answer your question as quickly as possible.

Developing and testing against both development and production releases will help ensure that your application will continue to work as you expect it for all your users.

This past week, we have been working to improve livePHP. For those of you not familiar with livePHP, it is a PHP class that allows access to the cPanel & WHM API1 and API2 system within an object-oriented PHP environment.

We improved the backend of the livePHP system to use JSON for socket communication, which utilizes PHP’s native JSON internally. Our testing shows that this is a great deal faster (3X) than the previous XML-based serialization with custom PHP parsing functions.

Our intent has been to maintain compatibility with the legacy interface provided by the cpanel.php class. However when changes of this nature are made, there is always a possibility of conflict. If you have an application, either for your internal use or public distribution, then we would love to get feedback on how this change has improved your product. We recommend that you submit a support request directly to us, so that we can help coordinate your testing. Please reference this article so that we can ensure your request gets the priority it deserves.

It should be noted that this is not available in public builds yet, so a ticket will need to be opened in order to coordinate your testing.