Advanced Threat Mitigations via SSL Intercept
Published Feb 23, 2016
Version 1.0Was this article helpful?
How well does this work for pinned (HPKP) certificates.
Is it simply as straightforward as having the BIGIP remove or rewrite the
Public-Key-Pins(-Report-Only)
header in HTTP_RESPONSE
, to one that is in line with the certs generated by your BIGIP?
I presume that, if you are implementing this in an environment that has already received some
Public-Key-Pins
, you are at the mercy of the existing max-age
of those values, unless you can also influence the resetting of browser state amongst your users?