Thanks for this great Qualys SSL Labs tool. Here is a suggested improvement. Just like Qualys warns users if their HPKP hash is invalid or doesn't have a backup hash defined, so should Qualys SSL Labs warn users if they specify an HPKP reporting URL that is on the same domain. This is a violation of the standard. These reason is that if there is an HPKP violation, reporting to the same domain would potentially be problematic and the report never received. Therefore, reporting should occur on a separate domain. Hopefully Qualys can implement a check for this and notify users of such issues.