↩ Back Reports

HTTP-based Public Key Pinning (HPKP)

HTTP-based Public Key Pinning (HPKP) allowed websites to send an HTTP header that tells the browser to "pin" one or more of the public keys and then to reject responses that came with a different public key, protecting against spoofed but still valid TLS certificates. It was a massive footgun, creating risks of denial of service, and as such was removed in Chrome 72 and disabled by default in Firefox 72. Chrome was the only browser that supported reporting via the report-uri="<url>" field of the Public-Key-Pins or Public-Key-Pins-Report-Only headers.

Example HPKP report

This is how the report looked like:

{
  "date-time": "2018-09-02T15:31:07.231Z",
  "effective-expiration-date": "2018-10-02T15:31:02.188Z",
  "hostname": "www.example.com",
  "include-subdomains": true,
  "known-pins": [
    "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"",
    "pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\""
  ],
  "noted-hostname": "example.com",
  "port": 443,
  "served-certificate-chain": [
    "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----",
    "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----"
  ],
  "validated-certificate-chain": [
    "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----",
    "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----",
    "-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----"
  ]
}