What is a security token?
“Security token” URLs were added in cPanel & WHM 11.25 as a security measure, and they were enabled by default in version 11.28. They help combat a common type of attack called a Cross-Site Request Forgery (XSRF).

So, what does a “security token” look like? Take, for example, this URL:
https://example.com:2087/i/love/cpanel

With security tokens enabled, this would become:
https://example.com:2087/cpsessYYYYYYY/i/love/cpanel

In that example, cpsessYYYYYYY is the token unique to that logged-in user on that browser. (You can learn more about security tokens in cPanel & WHM by reading our Security Tokens white paper.) In order for your custom script to work with cPanel & WHM, every URL involved needs to be compatible with the security token.

Creating security token-compatible URLs

Fortunately, it is very easy to do!

The token is available in the environment variable ‘cp_security_token’.

If security tokens are not in use, ‘cp_security_token’ will be an empty string.

If security tokens are in use, ‘cp_security_token’ will be, in terms of the above example: /cpsessYYYYYYY

Note the preceding slash! Since the variable has that slash, the examples will work whether cPanel & WHM has security tokens enabled or disabled.

  • Here’s how you’d use it in Perl code that calls one of our API URLS.
    Simply change this:

    my $APIurl = "http://127.0.0.1:2087/xml-api/$url";

    to this:

    my $APIurl = "http://127.0.0.1:2087$ENV{'cp_security_token'}/xml-api/$url";

  • Here’s how you might use it in JavaScript for, say, an AJAX call.
    First, make it available to your JavaScript. For example:

    print <<"END_SECURITY_TOKEN_JAVASCRIPT";

    if ( !("CPANEL" in window) ) CPANEL = {};
    CPANEL.security_token = "$ENV{'cp_security_token'}";

    END_SECURITY_TOKEN_JAVASCRIPT

    Next, make your URLs compatible by changing this:

    var ajaxURL = '/3rdparty/ZZZ/zzz.cgi';

    to this:

    var ajaxURL = CPANEL.security_token + '/3rdparty/ZZZ/zzz.cgi';