World Library  
Flag as Inappropriate
Email this Article

HTTP Public Key Pinning

Article Id: WHEBN0045619411
Reproduction Date:

Title: HTTP Public Key Pinning  
Author: World Heritage Encyclopedia
Language: English
Publisher: World Heritage Encyclopedia

HTTP Public Key Pinning

HTTP Public Key Pinning (HPKP)[1] is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. (For example, sometimes attackers can compromise certificate authorities, and then can mis-issue certificates for a web origin.) The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use 1 or more of those public keys in its certificate chain.

The server communicates the HPKP policy to the user agent via an HTTP response header field named Public-Key-Pins (or Public-Key-Pins-Report-Only for reporting-only purposes). The HPKP policy specifies hashes of the subject public key info of one of the certificates in the website's authentic X.509 public key certificate chain (and at least one backup key) in pin-sha256 directives, and a period of time during which the user agent shall enforce public key pinning in max-age directive, optional includeSubDomains directive to include all subdomains (of the domain that sent the header) in pinning policy and optional report-uri directive with URL where to send pinning violation reports. At least one of the public key of the certificates in the certificate chain needs to match a pinned public key in order for the chain to be considered valid by the user agent. At the time of publishing RFC 7469 only allowed hash algorithm is SHA-256. Hashes for HPKP policy can be generated by POSIX shell commands mentioned in Appendix A. of RFC 7469 or third-party tools.

A website operator can choose to either pin the root certificate public key of a particular root certificate authority, allowing only that certificate authority (and all intermediate authorities signed by its key) to issue valid certificates for the website's domain, and/or to pin the key(s) of one or more intermediate issuing certificates, or to pin the end-entity public key. At least one backup key must be pinned, in case the current pinned key needs to be replaced. The HPKP is not valid without this backup key (a backup key is defined as a public key not present in the current certificate chain).[2]

HPKP is standardized in RFC 7469.[1] It expands on static certificate pinning, which hardcodes public key hashes of well-known websites or services within web browsers and applications.[3]

Chromium browser disables pinning for certificate chains with private root certificates to enable various corporate content inspection scanners [4] and web debugging tools (such as mitmproxy or Fiddler). The RFC 7469 standard also recommends disabling pinning violation reports for such certificate chains.[5]


  • Reporting 1
  • Browser support 2
  • See also 3
  • References 4
  • External links 5


If the user agent performs pin validation and fails to find a valid SPKI fingerprint in the served certificate chain, it will POST a JSON formatted violation report to the host specified in the report-uri directive containing details of the violation. The user agent cannot send HPKP violation reports to the same domain, as the report was triggered because the connection failed, so hosts must use an alternative domain or use a reporting service.[6]

Browser support

HPKP is supported in Firefox and Chrome,[7] but not in Internet Explorer/Edge.[8]

See also


  1. ^ a b "RFC 7469 - Public Key Pinning Extension for HTTP". Retrieved 2015-05-07. 
  2. ^ "About Public Key Pinning". Retrieved 2015-05-07. 
  3. ^ "Certificate and Public Key Pinning - OWASP". Retrieved 2015-05-07. 
  4. ^ "Security FAQ - The Chromium Projects". Retrieved 2015-07-07. 
  5. ^ "RFC 7469 - Public Key Pinning Extension for HTTP". Retrieved 2015-07-07. 
  6. ^ "HPKP Violation Reporting". Scott Helme. 
  7. ^
  8. ^

External links

  • Online browser HSTS and Public Key Pinning test
  • JavaScript Public-Key-Pins (HPKP) calculator
  • Article about the very beginning of HPKP
  • Public Key Pinning Extension for HTTP (HPKP) article on Mozilla Developer Network
  • HPKP Violation Reporting
  • HPKP Policy Analyser
  • HPKP Hash Generator (URL)
  • HPKP Hash Generator (PEM)
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.