HTTP-based Public Key Pinning (HPKP)
HTTP-based Public Key Pinning (HPKP) allowed websites to send an HTTP header that tells the browser to "pin" one or more of the public keys and then to reject responses
that came with a different public key, protecting against spoofed but still valid TLS certificates. It was a massive footgun, creating risks of denial of service, and as such was
removed in Chrome 72 and disabled by default in Firefox 72.
Chrome was the only browser that supported reporting via the report-uri="<url>"
field of the Public-Key-Pins
or Public-Key-Pins-Report-Only
headers.
Example HPKP report
This is how the report looked like:
{
"date-time": "2018-09-02T15:31:07.231Z",
"effective-expiration-date": "2018-10-02T15:31:02.188Z",
"hostname": "www.example.com",
"include-subdomains": true,
"known-pins": [
"pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"",
"pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\""
],
"noted-hostname": "example.com",
"port": 443,
"served-certificate-chain": [
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----"
],
"validated-certificate-chain": [
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----"
]
}