Deprecate HPKP security header

Closes gh-10144

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -266,7 +266,11 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @return the {@link HpkpConfig} for additional customizations
 	 *
 	 * @since 4.1
+	 * @deprecated see <a href=
+	 * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
+	 * and Public Key Pinning</a> for more context
 	 */
+	@Deprecated
 	public HpkpConfig httpPublicKeyPinning() {
 		return this.hpkp.enable();
 	}
@@ -277,7 +281,11 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @param hpkpCustomizer the {@link Customizer} to provide more options for the
 	 * {@link HpkpConfig}
 	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @deprecated see <a href=
+	 * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
+	 * and Public Key Pinning</a> for more context
 	 */
+	@Deprecated
 	public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HpkpConfig> hpkpCustomizer) {
 		hpkpCustomizer.customize(this.hpkp.enable());
 		return HeadersConfigurer.this;
@@ -1040,6 +1048,12 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 
 	}
 
+	/**
+	 * @deprecated see <a href=
+	 * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
+	 * and Public Key Pinning</a> for more context
+	 */
+	@Deprecated
 	public final class HpkpConfig {
 
 		private HpkpHeaderWriter writer;

config/src/main/kotlin/org/springframework/security/config/web/servlet/HeadersDsl.kt

@@ -117,7 +117,9 @@ class HeadersDsl {
      * href="https://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP)</a>.
      *
      * @param hpkpConfig the customization to apply to the header
+     * @deprecated see <a href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate and Public Key Pinning</a> for more context
      */
+    @Deprecated(message = "as of 5.8 with no replacement")
     fun httpPublicKeyPinning(hpkpConfig: HttpPublicKeyPinningDsl.() -> Unit) {
         this.hpkp = HttpPublicKeyPinningDsl().apply(hpkpConfig).get()
     }

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/HttpPublicKeyPinningDsl.kt

@@ -33,8 +33,10 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon
  * @property reportOnly if true, the browser should not terminate the connection with
  * the server.
  * @property reportUri the URI to which the browser should report pin validation failures.
+ * @deprecated see <a href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate and Public Key Pinning</a> for more context
  */
 @HeadersSecurityMarker
+@Deprecated(message = "as of 5.8 with no replacement")
 class HttpPublicKeyPinningDsl {
     var pins: Map<String, String>? = null
     var maxAgeInSeconds: Long? = null

config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc

@@ -1193,6 +1193,7 @@ cors-options.attlist &=
 	attribute configuration-source-ref {xsd:token}?
 
 hpkp =
+	## Deprecated. The HPKP header no longer works in modern browsers, see <a href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate and Public Key Pinning</a> for more context
 	## Adds support for HTTP Public Key Pinning (HPKP).
 	element hpkp {hpkp.pins,hpkp.attlist}
 hpkp.pins =

config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd

@@ -3373,7 +3373,10 @@
   </xs:attributeGroup>
   <xs:element name="hpkp">
       <xs:annotation>
-         <xs:documentation>Adds support for HTTP Public Key Pinning (HPKP).
+         <xs:documentation>Deprecated. The HPKP header no longer works in modern browsers, see &lt;a
+                href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning"&gt;Certificate
+                and Public Key Pinning&lt;/a&gt; for more context Adds support for HTTP Public Key Pinning
+                (HPKP).
                 </xs:documentation>
       </xs:annotation>
       <xs:complexType>
@@ -3875,4 +3878,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java

@@ -110,7 +110,11 @@ import org.springframework.util.Assert;
  * @author Tim Ysewyn
  * @author Ankur Pathak
  * @since 4.1
+ * @deprecated see <a href=
+ * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
+ * and Public Key Pinning</a> for more context
  */
+@Deprecated
 public final class HpkpHeaderWriter implements HeaderWriter {
 
 	private static final long DEFAULT_MAX_AGE_SECONDS = 5184000;