Check of Public Key Pinning (HPKP) - does not influence the score
If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.
|Result positive||Public Key Pinning is active (The result does not influence the score).|
|Result negativ||Public Key Pinning is not available (HPKP is currently not under review).|
|Description||Powerful attackers, such as intelligence agencies, can create a signature with the help of a certification agency that is accepted by users. To prevent this, a website can be configured so that the certificate must be saved permanently (pinning) when it is called up for the first time. If Key Pinning is used, only the saved certificate will be accepted for the period of time specified by the website.|
|Background||One of the most difficult headers for non-experts to configure. If you have a SSL certificate, you can communicate to the requesting browser how long the certificate will still be valid, and send a "key" as a unique identification. On the next request, the browser can then check whether the certificate is still the original certificate. If an attacker tries to offer a forged certificate to the user, the web browser will not send any data and not display any information. Further information about Public Key Pinning: Public Key Pinning (HPKP).|
|Consequence||For small and medium sized companies, the target group of SIWECOS, this header is usable, but not an absolute must. If this header is configured wrongly, your website may not be available for users for a long period of time, namely until the correct certificates are used, or until the previously sent header expires.|
|Solution/Tips||The setting of Public Key Pinning (HPKP) is not an absolute must, and is currently not taken into account by the SIWECOS Scanner. It is advisable not to activate them, or to do so only after consultation with an expert.
The browsers Mozilla Firefox and Google Chrome comply with Public Key Pinning and therefore ignore HPKP-headers. If only a single pin is set, an error message will appear. In order for pin validation to be successful, it is therefore always necessary to provide at least two public keys or a back-up pin. Interested parties should get in touch with an IT security expert or web developer.
Further information can be found at Article from ZDNET
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]
Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)