HTTP headers | Public-Key-Pins

Deprecated: This feature is no longer recommended. It was deprecated by the Google Chrome team in 2017 because of its complexity and side-effects. Google recommends using the Expect-CT as a better alternative. It had been removed from 90% of the web browsers but some browsers still support it only for compatibility purposes.

HTTP Public Keys Pinning (HPKP) is an Internet security mechanism delivered with the help of HTTP header which allows HTTPS websites to resist the attackers using misused or fraud digital certificates. This happened by delivering a set of public keys to the client (e.g. web browser). These keys are delivered to those clients who should be trusted for future connections with the same domain name.

For example, attackers might hack a certificate authority, and then misused certificates for a web origin. To reduce this risk, the HTTPS web server serves a list of “pinned” public key hashes which are valid for a given time on subsequent connections, during that validity time, clients expect the server to use one or more than one public keys in its certificate chain. If it does not, an error message is printed on the screen.

Header type: Response header

Syntax:

Public-Key-Pins: pin-sha256 = "pin-value"; 
                 max-age = expire-time; 
                 includeSubDomains; 
                 report-uri = "uri"

Directives

• pin – sha256 = “pin – value”
  This pin is used to specify multiple pins for different public keys. We can also use other hashing algorithms than SHA-256 in the future.
• max – age = expire-time
  This pin represents the time (in seconds) browser should remember that the site is accessed using one of the defined keys.
• includeSubDomains
  This pin specifies that the site’s rules are also applied to the site’s subdomains as well. This parameter is optional.
• report – uri = “uri”
  This pin sends the report of pin validation failures. This parameter is also optional.

Example

Public-Key-Pins: 
  pin-sha256 = "cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs="; 
  pin-sha256 = "M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE="; 
  max-age = 51000; 
  includeSubDomains; 
  report-uri = "https://www.geeksforgeeks.org/hpkp-report"

In this example, First pin pin-sha256 = “cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs=” is server’s public key used in production.
Second pin pin-sha256 = “M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE=” is used as backup key.
Third pin max-age = 51000 tells the client to store this information for two months (this time limit is provided by IETF RFC).
Fourth pin includeSubDomains represent that the key is valid for all subdomains.
Finally the last pin report-uri = “https://www.geeksforgeeks.org/hpkp-report” explains where to report pin validation failures.

Browser compatibility: The browsers compatible with Public-Key-Pins header are listed below:

• Google Chrome
• Opera
• Firefox
• Internet Explorer
• Microsoft Edge
• Safari