FEATURE: Public Key Pinning (HPKP)

[lewisgoddard]

Roadmap

• [ ] Generate hashes when the keys are updated.
• [ ] Replace hashes for automatic HPKP configuration in nginx-config/directive/bubbly_hpkp.conf
• [ ] Default to report only for safety, with documented options and warnings in-configuration.
• [ ] Secondary option with short life, due to short certificate life.
• [ ] Add documentation to README.md

  References

• https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning
• https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
• https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
• https://tools.ietf.org/html/rfc7469

[lewisgoddard]

Google is abandoning HPKP in favour of the Expect-CT header.

• https://www.theregister.co.uk/2017/10/30/google_hpkp/

This makes things much easier, as it works like CSP but for Certificate Transparency. No more hashing certificates and updating a file.

Expect-CT: max-age=0, report-uri="https://scotthelme.report-uri.io/r/default/ct/reportOnly"
Expect-CT: enforce,max-age=30,report-uri="https://scotthelme.report-uri.io/r/default/ct/enforce"

• https://scotthelme.co.uk/a-new-security-header-expect-ct/

[lewisgoddard]

See #16 for Expect-CT support.