happyDomain/checker-http
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

checker: flag the deprecated Public-Key-Pins (HPKP) header
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details

Browse source
This commit is contained in:
nemunaire 2026-06-18 11:03:27 +09:00
commit 513a73f17f
3 changed files with 64 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

32
checker/rules_security_headers.go
View file

@ -112,6 +112,38 @@ func init() {
RegisterRule(disclosureHeaderRule("http.x_powered_by", "X-Powered-By", "the technologies used by the web server"))
RegisterRule(disclosureHeaderRule("http.x_aspnet_version", "X-AspNet-Version", "the ASP.NET framework version"))
RegisterRule(disclosureHeaderRule("http.x_aspnetmvc_version", "X-AspNetMvc-Version", "the ASP.NET MVC version"))
RegisterRule(deprecatedHPKPRule("http.hpkp", "Public-Key-Pins"))
RegisterRule(deprecatedHPKPRule("http.hpkp_report_only", "Public-Key-Pins-Report-Only"))
}
// deprecatedHPKPRule builds a rule for the HTTP Public-Key-Pins (HPKP)
// headers. Key pinning was removed from Chromium in 2018 and is
// unsupported by all modern browsers; its operational brittleness made it
// a frequent cause of self-inflicted outages. Certificate Transparency
// and CAA records provide superior compromise detection, so any presence
// is reported as Warn ".deprecated" and absence is OK ".absent".
func deprecatedHPKPRule(code, header string) sdk.CheckRule {
return HeaderRule(HeaderRuleSpec{
Code: code,
Description: "Reports the presence of the deprecated " + header + " (HPKP) header, which is unsupported by modern browsers and should be removed.",
Header: header,
Inspect: func(_ string, _ HTTPProbe, _ sdk.CheckerOptions) []HeaderResult {
return []HeaderResult{{
Status: sdk.StatusWarn,
Suffix: "deprecated",
Message: header + " (HPKP) is deprecated. Key pinning was removed from Chromium in 2018 and is unsupported by modern browsers; rely on Certificate Transparency and CAA DNS records instead.",
Meta: map[string]any{"fix": "Remove the `" + header + "` header from your responses."},
}}
},
OnMissing: func(_ HTTPProbe, _ sdk.CheckerOptions) []HeaderResult {
return []HeaderResult{{
Status: sdk.StatusOK,
Suffix: "absent",
Message: header + " is not set, which is correct (HPKP is deprecated).",
}}
},
})
}
// Information-disclosure headers --------------------------------------