checker: flag the deprecated Public-Key-Pins (HPKP) header

2026-06-18 11:03:27 +09:00 · 2026-06-18 11:03:27 +09:00 · 513a73f17f
commit 513a73f17f
parent a0fb42223b
3 changed files with 64 additions and 0 deletions
--- a/checker/rules_security_headers_test.go
+++ b/checker/rules_security_headers_test.go
@ -353,6 +353,34 @@ func TestDisclosureHeaderRules(t *testing.T) {
 	}
 }

+func TestHPKPRules(t *testing.T) {
+	cases := []struct {
+		rule   string
+		header string
+	}{
+		{"http.hpkp", "public-key-pins"},
+		{"http.hpkp_report_only", "public-key-pins-report-only"},
+	}
+	for _, c := range cases {
+		t.Run(c.rule, func(t *testing.T) {
+			// Absent → OK, since HPKP is deprecated.
+			states := runRule(t, ruleByName(t, c.rule), &HTTPData{Probes: []HTTPProbe{httpsProbe("a:443")}}, nil)
+			mustStatus(t, states, sdk.StatusOK)
+			if !hasCode(states, c.rule+".absent") {
+				t.Errorf("%s: missing absent code: %+v", c.rule, states)
+			}
+			// Present → Warn deprecated.
+			p := httpsProbe("a:443")
+			p.Headers[c.header] = `pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; max-age=5184000`
+			states = runRule(t, ruleByName(t, c.rule), &HTTPData{Probes: []HTTPProbe{p}}, nil)
+			mustStatus(t, states, sdk.StatusWarn)
+			if !hasCode(states, c.rule+".deprecated") {
+				t.Errorf("%s: missing deprecated code: %+v", c.rule, states)
+			}
+		})
+	}
+}
+
 func TestSecurityHeaders_NoHTTPS(t *testing.T) {
 	// Each header rule must emit Unknown when there are no successful HTTPS probes.
 	rules := []sdk.CheckRule{
@ -366,6 +394,8 @@ func TestSecurityHeaders_NoHTTPS(t *testing.T) {
 		ruleByName(t, "http.x_powered_by"),
 		ruleByName(t, "http.x_aspnet_version"),
 		ruleByName(t, "http.x_aspnetmvc_version"),
+		ruleByName(t, "http.hpkp"),
+		ruleByName(t, "http.hpkp_report_only"),
 	}
 	data := &HTTPData{Probes: []HTTPProbe{httpProbe("a:80")}}
 	for _, r := range rules {