HTTPS Pinning

A. Schulze sca at andreasschulze.de
Wed Jun 5 16:56:14 UTC 2019



Am 05.06.19 um 14:54 schrieb Sathish Kumar:
> Hi Team,
> 
> We would like to fix the HTTPS pinning vulnerability on our Nginx and Mobile application Android/iOS. If I enable on Nginx, do we need to add the pinning keys on our application and have to rotate the pinning keys everytime when the SSL cert is renewed.
> 
> Please advise.

HPKP is more or less deprecated. I suggest to no use it anymore.
Use HSTS, try to understand the implication of "includeSubDomains" and https://hstspreload.org/

Andreas


More information about the nginx mailing list