Implement CSP & HPKP violation reporting

[madhuracj]

As report by Emanuel Bronshtein,

I suggest to implement the following for *.phpmyadmin.net websites: * 'Public-Key-Pins-Report-Only' header, more information: https://developers.google.com/web/updates/2015/09/HPKP-reporting-with-chrome-46?hl=en https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning * report-uri directive in CSP headers, more information: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports

one free service that can be used for that purpose: https://report-uri.io/

while using 'Public Key Pinning (HPKP)' is better, it's vulnerable to 'HPKP Suicide/Footgun' problem (very bad to lose control over keys), more information: https://scotthelme.co.uk/using-security-features-to-do-bad-things/ https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead Thus I suggest to implement only the reporting feature (Public-Key-Pins-Report-Only header) more information regarding HPKP & Lets Encrypt usage: https://scotthelme.co.uk/setting-up-le/ https://scotthelme.co.uk/lets-encrypt-smart-renew/

[nijel]

Given that we do not control SSL certificates for websites served by CDN (probably the most important ones), I'm not really sure we're in position to implement this in way it would be usable.

[emanuelb]

Sure, adding HPKP is relatively easy to accomplish (in-non-fatal-error-way) on the server that does SSL termination, there might be a option on CDN side (the one generating the certs) to enable HPKP. The CSP reporting can be implemented easily using https://report-uri.io/

[williamdes]

The CSP reporting can be implemented easily using https://report-uri.io/

Or using Sentry, that we have now interally