Skip to main

HTTP Public Key Pinning (HPKP))

Purpose

Why use this header at all?

This header had, in the past, allowed you to better protect your site from certificate issues/attacks. Its implementation wasn't great and could cause your site to be hard-down for a long period of time. It has since been removed.

Recommendation

Consider the Impact of Compliance section below to see if this recommendation works for you.

Do not implement this header, it has no impact on modern browsers (it has been removed), and even the entire Moz Top500 has 0% of sites implementing this header. For the oddballs that still support it (Opera, maybe others?), you might have a really bad day if you roll this one out.

Risk Mitigated

By following this recommendation, what risk is mitigated?

This header has been removed from the vast market share of browsers, therefore should be considered to mitigate nothing.

Impact of Compliance

By using this header, you may expect these changes in your site's functionality

Implementing this header incorrectly can make your entire domain inaccessible until the max-age parameter elapses, taking down your website for months or even a year.


Read More!

Welcome! The library is new, and has some content to read over -- We'll be adding more soon!