Implement CSP & HPKP violation reporting #36
Labels
Comments
|
Given that we do not control SSL certificates for websites served by CDN (probably the most important ones), I'm not really sure we're in position to implement this in way it would be usable. |
|
Sure, adding HPKP is relatively easy to accomplish (in-non-fatal-error-way) on the server that does SSL termination, there might be a option on CDN side (the one generating the certs) to enable HPKP. |
Or using Sentry, that we have now interally |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As report by Emanuel Bronshtein,
I suggest to implement the following for *.phpmyadmin.net websites:
* 'Public-Key-Pins-Report-Only' header, more information:
https://developers.google.com/web/updates/2015/09/HPKP-reporting-with-chrome-46?hl=en
https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning
* report-uri directive in CSP headers, more information:
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports
one free service that can be used for that purpose:
https://report-uri.io/
while using 'Public Key Pinning (HPKP)' is better, it's vulnerable to 'HPKP Suicide/Footgun' problem (very bad to lose control over keys), more information:
https://scotthelme.co.uk/using-security-features-to-do-bad-things/
https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
Thus I suggest to implement only the reporting feature (Public-Key-Pins-Report-Only header)
more information regarding HPKP & Lets Encrypt usage:
https://scotthelme.co.uk/setting-up-le/
https://scotthelme.co.uk/lets-encrypt-smart-renew/
The text was updated successfully, but these errors were encountered: