I also have a blog on the various places you can pin like the leaf, intermediate and root: https://scotthel.me/k2h
`Content-Security-Policy` is an awesome header, but in truth, it's very easy to misconfigure and even when correctly configured is usually fairly easy to bypass on any non-trivially complex website (for example, JSONP is an effective bypass for CSP). It's still worth looking into.
From recent scans I see that www.google.com got an E with missing headers:
Looks like they just need a Content-Security-Policy and Public-Key-Pins.
Site Scan from MS - https://dev.windows.com/en-us/microsoft-edge/tools/staticsca...
Subresource Integrity scanner - https://sritest.io/
These are all good but I would include the following:
Qualys SSL Server Test - The first site I use.
testssl.sh - for behind the fireware testing
https://tls.imirhil.fr/ - this one is nice because it shows the ciphers used/avail broken down by TLS version. I have not seen any other site do this.
This is also keeping the CSS from loading. (Chrome, however, displays beautifully.)
I remember a while back when I was first using this I had a really difficult time getting it to work for a site I was doing. In the end, I had to remove all references to 'self' as a source and use the domain instead (even though these should be one and the same).
As for pinning the CA instead of your own public key, you can see my other comments in this thread with links about how GitHub pin their CA and a backup CA. I also have a link with information on the various levels in a chain you can pin at like the leaf, intermediate and root. Each has its own benefits and drawbacks.