SSL Labs, HPKP Failing


#1

OK, another SSL Labs failure - trying to clean them up … :-). Any thoughts how to correct this one?

Public Key Pinning (HPKP) Incomplete No pins matched

Thanks!


#2

HPKP was a standard meant to reduce the risk of a compromised CA falsely issuing a certificate for a website, which would allow an attacker to MITM the connection.

https://caniuse.com/#search=hpkp

While still a standard, Chrome depreciated it last year and completely removed it with the current Chrome 69. While some other browsers still support it, it’s highly regarded to cause more issues than it fixes and can get in the way if you ever need to change SSL certificates or Cloudflare decides to change the certificates they use for SSL. See the following case where it went terribly wrong:

Today, you should only look into making sure you’re running with CAA records (as you are here) and setting up HSTS:

With CAA and HSTS combined, all visitors will be guaranteed to only visit your website over HTTPS using only certificates authorities you and Cloudflare trust.


#3

Appreciate the time you took to provide such a detailed answer - and it makes sense to me, even better … :-).

Thanks!