Hi, Ivan Both HPKP and HSTS are only considered when they are received over a TLS-protected connection. TLS should protect against response header injection, no?
Yoav On Apr 23, 2014, at 10:15 AM, Ivan Ristić <[email protected]> wrote: > According to the HPKP spec: > > "If a UA receives more than one PKP header field in an HTTP > response message over secure transport, then the UA MUST process > only the first such header field." > > What's the rationale for this decision? (The same logic is applied in > HSTS, so perhaps the behaviour is copied from there?) > > HPKP and HSTS are both vulnerable to response header injection attacks. > Assuming an application that correctly sets the security headers, a > successful attack produces a response with multiple security headers and > the attacker has a good chance to place his headers first. > > Have you considered instructing UAs to ignore all headers when there are > two or more? > > -- > Ivan > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
