August 2015 - Safematix IT-Security

HPKP nginx apache

HPKP nginx apache

To enable HPKP, you should create the base64 string:

From key file

openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

From csr file

openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

From crt file

openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

You need 2 pins. One primary, second for backup.

Nginx

add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains';

Apache

Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains"

wget test website

wget --proxy=off --spider www.safematix.com

wget fetch directory listing

To download everything with wget in the directory listing.

wget -r --no-parent --reject "index.html*" https://download.safematix.com/