Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate HPKP security header #10144

Closed
jiheon-dev opened this issue Jul 28, 2021 · 2 comments
Closed

Deprecate HPKP security header #10144

jiheon-dev opened this issue Jul 28, 2021 · 2 comments
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Milestone
5.8.0-RC1

Comments

@jiheon-dev
Copy link

jiheon-dev commented Jul 28, 2021
edited by marcusdacoregio

Related #4261

Expected Behavior

Since the HPKP HeaderSupport has been deprecated by the browsers in order to support Expect-CT security header, we should deprecate its DSL.

Current Behavior

Spring Security project supports Public-Key-Pins header.

Reference

https://scotthelme.co.uk/hpkp-is-no-more/
https://scotthelme.co.uk/a-new-security-header-expect-ct/
@jiheon-dev jiheon-dev added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jul 28, 2021
@jiheon-dev jiheon-dev changed the title Alternative to Public-Key-Pins security header Alternative to Public-Key-Pins security header (Support Expect-CT) Jul 28, 2021
@marcusdacoregio marcusdacoregio added in: config An issue in spring-security-config in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged in: config An issue in spring-security-config labels Jul 28, 2021
@marcusdacoregio
Copy link
Contributor

Thanks for bringing this up @jiheon-dev.

Since we already have #4261 to add the support for the Expect-CT header, we may transform this issue to deprecate the HPKP header.

Can we change the title to Deprecate HPKP security header, and change the description to add context about this change?

@jiheon-dev
Copy link
Author

jiheon-dev commented Jul 28, 2021
edited

Yes, I already changed issue title. If you have something to change about my issue context, you can change it anytime.

Thanks for reply my issue @marcusdacoregio

@jiheon-dev jiheon-dev changed the title Alternative to Public-Key-Pins security header (Support Expect-CT) Deprecate HPKP security header Jul 28, 2021
@marcusdacoregio marcusdacoregio added the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Apr 28, 2022
@marcusdacoregio marcusdacoregio added this to the 5.8.0-M1 milestone May 3, 2022
@marcusdacoregio marcusdacoregio removed their assignment Jun 22, 2022
@marcusdacoregio marcusdacoregio modified the milestones: 5.8.0-M1, 5.8.x Jun 24, 2022
@rwinch rwinch self-assigned this Jul 5, 2022
@rwinch rwinch assigned marcusdacoregio and unassigned rwinch Sep 26, 2022
@marcusdacoregio marcusdacoregio mentioned this issue Oct 3, 2022
Closed
@marcusdacoregio marcusdacoregio modified the milestones: 5.8.x, 5.8.0-RC1 Oct 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
5.8.0-RC1
Development

No branches or pull requests
3 participants
@rwinch @marcusdacoregio @jiheon-dev