New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add H̶S̶T̶S̶ ̶&̶ HPKP auto-configuration option #1611
Comments
That is actually a very good idea. +1. |
We already have a pull request for --hsts, #1395. HPKP is extremely dangerous and we aren't going to add any form of support for it without a huge amount of care, testing and field experience first. |
PR #1395 includes a very crude http-header placement mechanism (e.g. it sets a constant max-age time) that will be deprecated for a more versatile one. |
So, Certbot does now have a way to help set up HSTS for you. I believe we're not going to do ongoing work on improving HPKP support now because of Google's decision to deprecate the technology. :-( |
This one is a feature request or actually request for comments.
I'd like to see flags for the auto-configuration of HTTP Strict Transport Security & HTTP Public Key Pinning for Apache and nginx in the future versions of the letsencrypt client.
Furthermore, I think it would make sense to introduce an option to permanently redirect the user from an HTTP vHost to the HTTPS vHost (ideally with an HSTS header) to ensure that the vHost is being accessed via HTTPS.
As an example, the following flags could be used for this purpose:
--use-hsts
- Use HSTS in the vHost--hsts-age=n
- Set the HSTS age to n--hsts-include-subdomains
- Applies also on subdomains--use-hpkp
- Use HTTP Public Key Pinning--hpkp-report-uri=URI
- Set HPKP Report URI--hpkp-override-age=n
- Override the age of the pin--hpkp-include-subdomains
- Apply HPKP on subdomainsThe text was updated successfully, but these errors were encountered: