AnsweredAssumed Answered

HPKP report domain should be different than domain being tested, else issue warning

Question asked by smaug on May 15, 2016
Latest reply on May 15, 2016 by smaug

Thanks for this great Qualys SSL Labs tool. Here is a suggested improvement. Just like Qualys warns users if their HPKP hash is invalid or doesn't have a backup hash defined, so should Qualys SSL Labs warn users if they specify an HPKP reporting URL that is on the same domain. This is a violation of the standard. These reason is that if there is an HPKP violation, reporting to the same domain would potentially be problematic and the report never received. Therefore, reporting should occur on a separate domain. Hopefully Qualys can implement a check for this and notify users of such issues.


HTTP Public Key Pinning - Wikipedia, the free encyclopedia