Caddy: Feature Request: HPKP

Hello @nudzo,

I believe that the user should decide if he/she wants to use HPKP.

If you want, you can add HPKP over header https://caddyserver.com/docs/header

@elcore, that's clear, but it's far more comfortable, when server itself computes all that hashes for you and you don't have to search how to assemble those headers. Of course on|off switch in config would be great.

@nudzo OK -- you got me :smile: -- This could be an "Addon"

I hear ya, I've been thinking on this for a while. The problem is that Caddy is in the business of _not_ DoS'ing your site. :wink:

Of course on|off switch in config would be great.

Turning off HPKP has severe ramifications. I'm too nervous to approach HPKP at this time. There are too many variables.

For now, you can use the header directive to get a good grade on securityheaders.io.

Considering that Chrome removed HPKP I know requesting support now may be declined, but not everyone has to like what Chrome does. I just hope Mozilla does not follow the same road. With features like must-staple they also use stuff, Chrome does not, so it is not that a sign.

Please reconsider this feature. I think you have now more experience, and it is not that hard from a theoretical perspective.

The problem for server admin is the automatic re-keying (I think Caddy does, does not it?), which needs a new HPKP header for a new key. Especially this header must be deployed, before!

But theoretically that is possible. You just need timing and automation. (And that's what you have in Caddy, so IMHO this feature is suited very well!) See https://raw.githubusercontent.com/rugk/ACME_LE_HPKP_Theory/master/screenshot.png (repo) for how I'd propose it.

Alternatively, you can of course always pin the root, which moves the trust from thousands of CAs to a single one (and maybe a backup one to be sure). That is even quite simple and not so risky that it could even be a simple opt-in on Caddy.