Public-Key-Pins-Disabled/EN/Solution Tips: Unterschied zwischen den Versionen
| Zeile 1: | Zeile 1: | ||
| − | The setting of Public Key Pinning (HPKP) is not an absolute must, and is currently not taken into account by the SIWECOS Scanner. | + | The setting of [https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning Public Key Pinning] (HPKP) is not an absolute must, and is currently not taken into account by the SIWECOS Scanner. |
| − | The browsers Mozilla Firefox and Google Chrome comply with [https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning] and therefore ignore HPKP-headers. If only a single pin is set, an error message will appear. In order for pin validation to be successful, it is therefore always necessary to provide at least two public keys or a back-up pin. Interested parties should get in touch with an IT security expert or web developer. | + | The browsers Mozilla Firefox and Google Chrome comply with [https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning Public Key Pinning] and therefore ignore HPKP-headers. If only a single pin is set, an error message will appear. In order for pin validation to be successful, it is therefore always necessary to provide at least two public keys or a back-up pin. Interested parties should get in touch with an IT security expert or web developer. |
Further information can be found at [https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/ Article from ZDNET] | Further information can be found at [https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/ Article from ZDNET] | ||
| Zeile 9: | Zeile 9: | ||
<!-- | <!-- | ||
pin-sha256="<HASH>"; pin-sha256="<HASH>"; max-age=2592000; includeSubDomains; | pin-sha256="<HASH>"; pin-sha256="<HASH>"; max-age=2592000; includeSubDomains; | ||
| − | '''Activate HPKP''' - This feature can be activated easily by returning a public-key-pins HTTP header when the website is called up via | + | '''Activate HPKP''' - This feature can be activated easily by returning a public-key-pins HTTP header when the website is called up via HTTPS. ([https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning more informations]). |
'''--snip''' | '''--snip''' | ||
| Zeile 18: | Zeile 18: | ||
Here is an example of an .htaccess file which will set the '''HTTP-Security-Header-Scanner''' to green. | Here is an example of an .htaccess file which will set the '''HTTP-Security-Header-Scanner''' to green. | ||
| − | ([[Htaccess|.htaccess | + | ([[Htaccess|.htaccess example (German only]]) |
--> | --> | ||
Version vom 6. Februar 2019, 15:55 Uhr
The setting of Public Key Pinning (HPKP) is not an absolute must, and is currently not taken into account by the SIWECOS Scanner.
The browsers Mozilla Firefox and Google Chrome comply with Public Key Pinning and therefore ignore HPKP-headers. If only a single pin is set, an error message will appear. In order for pin validation to be successful, it is therefore always necessary to provide at least two public keys or a back-up pin. Interested parties should get in touch with an IT security expert or web developer.
Further information can be found at Article from ZDNET
