I recently wrote about how I'm giving up on HPKP and as part of that blog post I suggested I may change the grading criteria on securityheaders.io. After listening to all of the feedback I received as a result of that post, I'm now announcing some changes to the grading.
Removing HPKP as a required header
For more details on why HPKP is being removed you can read my blog I'm giving up on HPKP. The TLDR is that deploying HPKP can be really hard, it's easy to screw up and deadly if you get it wrong. Because I want securityheaders.io to appeal to a much wider audience I feel it's appropriate to remove HPKP from the scoring criteria and not require sites to deploy it to achieve the highest score, an A+. In the update that's just been deployed to the live site you no longer need to deploy HPKP for an A+. There is however another change that's been introduced which adds a new requirement to get the A+ grade.
HTTPS is now required for an A+
At first glance it may not appear that a site grading your security headers should factor in HTTPS as a requirement, after all HTTPS isn't a security header. HTTPS does however protect the transmission of your security headers and ensures that they end up in the browser as intended. You can have the best security headers possible but if they're transmitted over HTTP then it's easy for a network adversary to alter them or remove them altogether. This is the main reason you now need to have HTTPS deployed on your site to score an A+ on the test.
Head over to the new site and see how/if the grading changes affect you: securityheaders.io