HTTP Public Key Pinning (HPKP))
Why use this header at all?
This header had, in the past, allowed you to better protect your site from certificate issues/attacks. Its implementation wasn't great and could cause your site to be hard-down for a long period of time. It has since been removed.
Consider the Impact of Compliance section below to see if this recommendation works for you.
Do not implement this header, it has no impact on modern browsers (it has been removed), and even the entire Moz Top500 has 0% of sites implementing this header. For the oddballs that still support it (Opera, maybe others?), you might have a really bad day if you roll this one out.
By following this recommendation, what risk is mitigated?
This header has been removed from the vast market share of browsers, therefore should be considered to mitigate nothing.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
Implementing this header incorrectly can make your entire domain inaccessible until the
max-age parameter elapses, taking down your website for months or even a year.
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)