Skip to content

HTTP Public Key Pinning (HPKP)

HTTP Public Key Pinning (HPKP) is a security feature designed to protect against [[Man-in-the-middle attacks]] by allowing a website to specify which cryptographic certificate authorities (CAs) or public keys it trusts.^[600-developer__tools__security__Strict-Transport-Security.md]

By pinning specific public keys, the site operator retains the right to determine which CAs are trusted, rather than relying solely on the browser's built-in list of trusted CAs.^[600-developer__tools__security__Strict-Transport-Security.md] This prevents attackers from using a mistakenly issued or fraudulent certificate to intercept traffic, as the browser will reject connections that do not match the pinned keys.^[600-developer__tools__security__Strict-Transport-Security.md]

Implementation

The mechanism is implemented via the Public-Key-Pins HTTP response header.^[600-developer__tools__security__Strict-Transport-Security.md] A typical configuration includes the Base64-encoded Subject Public Key Info (SPKI) fingerprint (pin-sha256), a max-age directive, and an includeSubDomains directive.^[600-developer__tools__security__Strict-Transport-Security.md]

Example Header Configuration

Public-Key-Pins: pin-sha256="base64=="; max-age=2592000; includeSubDomains

To generate the pin-sha256 value, one must extract the public key from their own certificate, convert it to a fingerprint using a tool like OpenSSL, and replace the placeholder base64== with the resulting string.^[600-developer__tools__security__Strict-Transport-Security.md]

  • [[HTTPS]]
  • [[Strict-Transport-Security]]
  • [[Content-Security-Policy]]

Sources

  • 600-developer__tools__security__Strict-Transport-Security.md