Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove hpkp from "mainline" Helmet #180

Closed
EvanHahn opened this issue Sep 19, 2018 · 12 comments
Closed

Remove hpkp from "mainline" Helmet #180

EvanHahn opened this issue Sep 19, 2018 · 12 comments
Assignees
@EvanHahn
Milestone
4.0.0

Comments

@EvanHahn
Copy link
Member

See helmetjs/hpkp#14.

Because this is a breaking change, it'll happen in Helmet version 4.
@EvanHahn EvanHahn mentioned this issue Sep 19, 2018
Closed
@FranklinYu
Copy link

FYI, Chrome has not yet removed support for HPKP as of version 70. They seems to have changed their plan.

@EvanHahn
Copy link
Member Author

Interesting. Do you have a source for this?

@FranklinYu
Copy link

I don't think they publicly announced the change of plan, but you can test this page with Chrome 70. For me it is still working, even if the deprecating message is still showing up claiming that it will be (should have been?) removed in 69.

@EvanHahn
Copy link
Member Author

EvanHahn commented Nov 16, 2018 via email

@FranklinYu
Copy link

That's exactly what I would propose. 👍

@EvanHahn
Copy link
Member Author

EvanHahn commented Nov 16, 2018 via email

@mkargus
Copy link

mkargus commented Dec 5, 2018

It appears that Chrome is removing it in release 72.

@FranklinYu
Copy link

FranklinYu commented Dec 5, 2018
edited
Loading

I can confirm with Chrome Dev (72), both Windows and Android.

@EvanHahn
Copy link
Member Author

EvanHahn commented Dec 6, 2018 via email

@mkargus
Copy link

mkargus commented Feb 10, 2019

Chrome 72 is now released.

EvanHahn added a commit that referenced this issue Feb 10, 2019
@EvanHahn
Deprecate hpkp
ca50146 
See <#180>.
@EvanHahn
Copy link
Member Author

I've updated the docs and added a deprecation warning to Helmet. This helmet.hpkp will be removed in Helmet 4.

@EvanHahn EvanHahn self-assigned this Feb 10, 2019
@gzog gzog mentioned this issue May 26, 2019
Merged
@EvanHahn EvanHahn added this to the 4.0.0 milestone Jun 12, 2020
@EvanHahn EvanHahn mentioned this issue Jun 12, 2020
Merged
36 tasks
@EvanHahn
Copy link
Member Author

This was closed in #192 and merged into the 4.x branch. I'm closing this because it will be released in Helmet 4 (though it's not technically released yet).

@lu-zen lu-zen mentioned this issue Jul 20, 2020
Closed
Mahmoud-64 added a commit to Mahmoud-64/CheatSheetSeries that referenced this issue Feb 5, 2023
@Mahmoud-64
Public-Key-Pins header has been deprecated
bb16f89 
The public-Key-Pins header has been deprecated citing risks of misuse and therefore is not recommended. also, the helmet package no longer supports this header

resources:
 - https://developer.chrome.com/blog/chrome-67-deps-rems/#deprecate-http-based-public-key-pinning
 - helmetjs/helmet#180
 - https://github.com/helmetjs/hpkp
@Mahmoud-64 Mahmoud-64 mentioned this issue Feb 5, 2023
Merged
8 tasks
mackowski pushed a commit to OWASP/CheatSheetSeries that referenced this issue Feb 13, 2023
@Mahmoud-64
Public-Key-Pins header has been deprecated (#1086)
b5d9564 
The public-Key-Pins header has been deprecated citing risks of misuse and therefore is not recommended. also, the helmet package no longer supports this header

resources:
 - https://developer.chrome.com/blog/chrome-67-deps-rems/#deprecate-http-based-public-key-pinning
 - helmetjs/helmet#180
 - https://github.com/helmetjs/hpkp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EvanHahn EvanHahn

Labels
None yet
Milestone
4.0.0
Development

No branches or pull requests
3 participants
@EvanHahn @FranklinYu @mkargus