Some (important) general notes about the first post…
- Do not pin your private key!
- HPKP is risky. You should always understand what it is, how it works and what effects this has/can have before using it on your (productional) server.
- @tlussnig is right: You have to add a backup key. Otherwise this disables the added security by HPKP, so it’s just useless. You should use dev.ssllabs.com to test this with the latest version of SSLLabs test as this has integrated more tests of headers like HSTS and HPKP. Edit: The SSLLabs version with extended HPKP test is now stable and accessible at ssllabs.com.
- Currently there is an important thing you should know when using HPKP with Let’s Encrypt, which can - in the worst case - break your whole site and prevent users from accessing your site. More information here:
HTTP Public Key Pinning (HPKP)
The most important thing: Do not follow guides just to get 100% of something. Think about what you actual do at your server!
Here are some good resources for reading about HPKP:
- https://scotthelme.co.uk/hpkp-http-public-key-pinning/
- https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
- https://scotthelme.co.uk/guidance-on-setting-up-hpkp/
- https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
Additionally here you get a bunch of tools for HPKP by @ScottHelme, especially the analyse tool.