Add H̶S̶T̶S̶ ̶&̶ HPKP auto-configuration option

[DatanoiseTV]

This one is a feature request or actually request for comments.

I'd like to see flags for the auto-configuration of HTTP Strict Transport Security & HTTP Public Key Pinning for Apache and nginx in the future versions of the letsencrypt client.

Furthermore, I think it would make sense to introduce an option to permanently redirect the user from an HTTP vHost to the HTTPS vHost (ideally with an HSTS header) to ensure that the vHost is being accessed via HTTPS.

As an example, the following flags could be used for this purpose:

--use-hsts - Use HSTS in the vHost
--hsts-age=n- Set the HSTS age to n
--hsts-include-subdomains- Applies also on subdomains

--use-hpkp - Use HTTP Public Key Pinning
--hpkp-report-uri=URI- Set HPKP Report URI
--hpkp-override-age=n - Override the age of the pin
--hpkp-include-subdomains- Apply HPKP on subdomains

[TheNavigat]

That is actually a very good idea. +1.

[pde]

We already have a pull request for --hsts, #1395. HPKP is extremely dangerous and we aren't going to add any form of support for it without a huge amount of care, testing and field experience first.

[sagi]

PR #1395 includes a very crude http-header placement mechanism (e.g. it sets a constant max-age time) that will be deprecated for a more versatile one.

[schoen]

So, Certbot does now have a way to help set up HSTS for you. I believe we're not going to do ongoing work on improving HPKP support now because of Google's decision to deprecate the technology. :-(