-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HPKP - HTTP Public Key Pinning Extension #26
Comments
Just to clarify, HPKP needs a certificate file with full chain of intermediate certificates and root CA certificate included. This is done best in |
https://bettercrypto.org also has a nice summary how this can be done. Also, no need to fear this feature. There is a Report-Only option which we could maybe even make the default (at least for LE as it is unlikely that people would use another CA if they use LE), not sure yet if https://report-uri.io/ supports that or if there are other services like this. So there is no excuse for not enabling this 😉 The requirements that @drybjed mentioned have been implemented by @drybjed in the meantime. |
For the record: OWASP about Certificate and Public Key Pinning and Transport Layer Protection Cheat Sheet with quite useful, practical/hands-on hints and checklists |
Based on IRC chat with drybjed I add this request here, and not to ansible-nginx.
HPKP is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities.
Read more about in links below.
Links:
https://tools.ietf.org/html/rfc7469
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html
https://github.com/debops/ansible-nginx
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
The text was updated successfully, but these errors were encountered: