Merged idea

This idea has been merged into another idea. To comment or vote on this idea, please visit WEBFLOW-I-784 HTTP response headers security.

HPKP - Public Key Pinning Merged

This, in addition to configuring custom X-Content Options, should be implemented to safeguard maximal security of Webflow.

I could not find anything about Public Key Pins (HPKP) on the forums or here in the wishlist.
Here’s an article :

HPKP: HTTP Public Key Pinning

HPKP is a security policy delivered via a HTTP response header. It allows a host to whitelist cryptographic identities a UA should accept for the host.

 Configure the webserver or website to always force this header. This can be done using the

following configuration directives:

Apache webserver:
Header always set Strict-Transport-Security “maxage=31536000; includeSubDomains” NginX webserver:
add_header Strict-Transport-Security “maxage=31536000; includeSubdomains” always;

Microsoft IIS
webserver: In the IIS manager choose “Add Custom HTTP Response Header” -> Name: “Strict-Transport-Security” -> Value: “max-age=31536000; includeSubdomains”

  • Martijn Hoppenbrouwer
  • Jul 28 2017