Details
HTTP Public Key Pinning, also known as certificate pinning, allows a site to specify exactly which certificates the browser or another user agent should accept. HTTP Public Key Pinning allows for the certificate rotation to be scheduled using backup fingerprints to ensure that user agent has both certificates stored. HTTP Public Key Pinning should be enabled.
Rationale:
HTTP Public Key Pinning assists in preventing a user agent from falling victim to a forged certificate, such as man in the middle attacks.
Solution
Find the fingerprint of your certificate by referencing the fingerprint section of your certificate details. Take down the SHA256 fingerprint in this section as well as that of a backup certificate or the next scheduled certificate for the website.
Insert your SHA256 fingerprint along with the below header to your server configuration:
add_header Public-Key-Pins ‘pin-sha256=’base64+primary==InsertPrimaryCertificateSHA256FingerPrintHere’; pin-sha256=’base64+backup==InsertBackupCertificateSHA256FingerPrintHere’; max-age=5184000;
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.