According to the HPKP spec: "If a UA receives more than one PKP header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field."
What's the rationale for this decision? (The same logic is applied in HSTS, so perhaps the behaviour is copied from there?) HPKP and HSTS are both vulnerable to response header injection attacks. Assuming an application that correctly sets the security headers, a successful attack produces a response with multiple security headers and the attacker has a good chance to place his headers first. Have you considered instructing UAs to ignore all headers when there are two or more? -- Ivan _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
