concept

HTTP Public Key Pinning

HTTP Public Key Pinning (HPKP) is a security mechanism that allows websites to instruct browsers to associate specific cryptographic public keys with their domain, preventing man-in-the-middle attacks by ensuring only authorized certificates can be used for TLS connections. It works by sending HTTP headers that pin the expected public keys, which browsers then enforce for subsequent visits. However, it has been deprecated due to risks of accidental misconfiguration leading to site lockouts.

Also known as: HPKP, Public Key Pinning, Certificate Pinning, TLS Pinning, HTTP PKP
🧊Why learn HTTP Public Key Pinning?

Developers should learn HPKP to understand historical web security practices and the evolution of certificate validation, as it was used to mitigate risks from compromised Certificate Authorities. It's relevant for security audits, legacy system maintenance, or studying alternatives like Certificate Transparency and Expect-CT headers, which address similar threats without HPKP's operational hazards.

Compare HTTP Public Key Pinning

HTTP Public Key Pinning vs Certificate TransparencyHTTP Public Key Pinning vs Expect CtHTTP Public Key Pinning vs Hsts

Learning Resources

📄
MDN Web Docs: HTTP Public Key Pinning
docs
📄
OWASP: Certificate and Public Key Pinning
docs
📄
Google Developers: Deprecating Public Key Pinning
docs
📝
Scott Helme: Why HPKP is Bad
tutorial

Related Tools

TlsHttpsWeb SecurityCertificate AuthoritiesMan In The Middle Attacks

Alternatives to HTTP Public Key Pinning

Certificate TransparencyExpect CtHsts