Certbot: Add H̶S̶T̶S̶ ̶&̶ HPKP auto-configuration option

Created on 24 Nov 2015  Â·  4Comments  Â·  Source: certbot/certbot

This one is a feature request or actually request for comments.

I'd like to see flags for the auto-configuration of HTTP Strict Transport Security & HTTP Public Key Pinning for Apache and nginx in the future versions of the _letsencrypt_ client.

Furthermore, I think it would make sense to introduce an option to permanently redirect the user from an HTTP vHost to the HTTPS vHost (ideally with an HSTS header) to ensure that the vHost is being accessed via HTTPS.

As an example, the following flags could be used for this purpose:

--use-hsts - Use HSTS in the vHost
--hsts-age=n- Set the HSTS age to n
--hsts-include-subdomains- Applies also on subdomains

--use-hpkp - Use HTTP Public Key Pinning
--hpkp-report-uri=URI- Set HPKP Report URI
--hpkp-override-age=n - Override the age of the pin
--hpkp-include-subdomains- Apply HPKP on subdomains

security enhancements

Most helpful comment

We already have a pull request for --hsts, #1395. HPKP is extremely dangerous and we aren't going to add any form of support for it without a huge amount of care, testing and field experience first.

All 4 comments

That is actually a very good idea. +1.

We already have a pull request for --hsts, #1395. HPKP is extremely dangerous and we aren't going to add any form of support for it without a huge amount of care, testing and field experience first.

PR #1395 includes a very crude http-header placement mechanism (e.g. it sets a constant max-age time) that will be deprecated for a more versatile one.

So, Certbot does now have a way to help set up HSTS for you. I believe we're not going to do ongoing work on improving HPKP support now because of Google's decision to deprecate the technology. :-(

Was this page helpful?
0 / 5 - 0 ratings