Open In App

HTTP headers | Public-Key-Pins-Report-Only

Last Updated : 30 Nov, 2019
Improve
Improve
Like Article
Like
Save
Share
Report

The HTTP Public-Key-Pins-Report-Only is a response header which sends report to the report-uri specified in the header if any pinning violation is done.
But, unlike Public-Key-Pins it still allows browsers to connect to the server and don’t print any error message on the screen if the pinning is violated.

You must read, see the HTTP Public-Key-Pins article before reading this.

Header type: Response header
Forbidden header name: no

Syntax

Public-Key-Pins-Report-Only: pin - sha256 = "pin - value"; 
                                  max - age = expire - time; 
                                  includeSubDomains; 
                                  report - uri = "uri"

Directives:

  • pin – sha256 = “pin – value”
    This pin is used to specify multiple pins for different public keys. We can also use other hashing algorithms than SHA-256 in the future.
  • max-age = expire-time
    This directive is not used in the Public-Key-Pins-Report-Only header, it will be ignored by user agents and also it will not be cached.
  • includeSubDomains
    This pin specifies that the site’s rules are also applied to site’s sub-domains as well. This parameter is optional.
  • report – uri = “uri”
    This pin sends the report of pin validation failures. This parameter is also optional.

Example:

Public-Key-Pins-Report-Only:
    pin-sha256 = "cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs="; 
    pin-sha256 = "M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE="; 
    includeSubDomains; 
    report-uri = "https://www.geeksforgeeks.org/hpkp-report"

In this example, First pin pin-sha256 = “cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs=” is server’s public key used in production.

Second pin pin-sha256 = “M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE=” is used as backup key.

Third pin includeSubDomains represent that the key is valid for all subdomains.

Finally the last pin report-uri = “https://www.geeksforgeeks.org/hpkp-report” explains where to report pin validation failures.

Browser compatibility:

  • Google Chrome
  • Opera
  • Firefox
  • Internet Explorer
  • Microsoft Edge
  • Safari

Like Article
Suggest improvement
Previous
HTTP headers | Range
Next
HTML | DOM Input Submit defaultvalue Property
Share your thoughts in the comments

Similar Reads

HTTP headers | Public-Key-Pins
HTTP headers | Content-Security-Policy-Report-Only
HTTP headers | Access-Control-Expose-Headers
HTTP headers | Access-Control-Allow-Headers.
HTTP headers | Access-Control-Request-Headers
HTTP headers | Location
HTTP headers | User-Agent
HTTP headers | Link
HTTP headers | Save-Data
HTTP headers | Content-Type

M
ManishaYadav30
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox