Certbot: Add H̶S̶T̶S̶ ̶&̶ HPKP auto-configuration option
This one is a feature request or actually request for comments.
I'd like to see flags for the auto-configuration of HTTP Strict Transport Security & HTTP Public Key Pinning for Apache and nginx in the future versions of the _letsencrypt_ client.
Furthermore, I think it would make sense to introduce an option to permanently redirect the user from an HTTP vHost to the HTTPS vHost (ideally with an HSTS header) to ensure that the vHost is being accessed via HTTPS.
As an example, the following flags could be used for this purpose:
--use-hsts - Use HSTS in the vHost
--hsts-age=n- Set the HSTS age to n
--hsts-include-subdomains- Applies also on subdomains
--use-hpkp - Use HTTP Public Key Pinning
--hpkp-report-uri=URI- Set HPKP Report URI
--hpkp-override-age=n - Override the age of the pin
--hpkp-include-subdomains- Apply HPKP on subdomains
DatanoiseTV
All 4 comments
That is actually a very good idea. +1.
TheNavigat
on 24 Nov 2015
We already have a pull request for --hsts, #1395. HPKP is extremely dangerous and we aren't going to add any form of support for it without a huge amount of care, testing and field experience first.
pde
on 24 Nov 2015
PR #1395 includes a very crude http-header placement mechanism (e.g. it sets a constant max-age time) that will be deprecated for a more versatile one.
sagi
on 25 Nov 2015
So, Certbot does now have a way to help set up HSTS for you. I believe we're not going to do ongoing work on improving HPKP support now because of Google's decision to deprecate the technology. :-(
schoen
on 10 Dec 2018
Related issues
TheNikomo
·
3Comments
LouWii
·
4Comments
eonwhite
·
3Comments
Mattia98
·
3Comments
DirkWolthuis
·
3Comments
Most helpful comment
We already have a pull request for --hsts, #1395. HPKP is extremely dangerous and we aren't going to add any form of support for it without a huge amount of care, testing and field experience first.