HTTP Public Key Pinning
HTTP Public Key Pinning (HPKP) is a security extension for HTTP that allows website operators to instruct user agents, such as web browsers, to associate specific cryptographic public keys with a given host, ensuring that future TLS connections only accept certificates backed by those pinned keys to prevent impersonation by attackers using forged certificates.[1]
Introduced in RFC 7469 by the Internet Engineering Task Force (IETF) in April 2015, HPKP operates by delivering pinning instructions via the Public-Key-Pins HTTP response header, which includes directives such as pin-sha256 for specifying base64-encoded SHA-256 hashes of Subject Public Key Info (SPKI) structures, max-age to define the pinning validity period (in seconds), includeSubDomains to extend pinning to subdomains, and optionally report-uri for violation reporting.[1] Upon receiving the header during an initial HTTPS connection, the user agent stores the pinset and enforces it on subsequent visits within the specified timeframe, requiring at least one matching pin from the current certificate chain or a designated backup pin to avoid connection failures.[1] This trust-on-first-use (TOFU) model aimed to limit reliance on certificate authorities (CAs) by detecting unauthorized key changes, enhancing protection against certificate misissuance after the first successful connection.[1][2]
Despite its innovative approach to public key pinning, HPKP faced significant challenges, including low adoption rates due to its complexity in managing pinsets for certificate rotations and load balancing, as well as severe operational risks such as self-inflicted denial-of-service (DoS) from misconfigurations or expired pins, which could lock users out of sites for extended periods.[2][3] Additionally, it was vulnerable to exploitation in man-in-the-middle scenarios or domain hijacking, where attackers could impose hostile pins to disrupt access.[4] These issues, coupled with the rise of more robust alternatives like Certificate Transparency (CT) for detecting misissued certificates and DNS-based Authentication of Named Entities (DANE) for direct key pinning, led to its rapid decline.[2][3]
HPKP support was deprecated and removed across major browsers starting in 2018. Google announced its deprecation in Chrome 67 (May 2018) and full removal in Chrome 72 (January 2019), citing the mechanism's risks and recommending the Expect-CT header as a transitional alternative for certificate transparency enforcement.[3] Mozilla followed suit, disabling HPKP by default in Firefox 72 (December 2019) and removing it entirely to reduce compatibility errors and attack surface, as continuing support would isolate Firefox users on misconfigured sites after Chrome's exit.[4] Other browsers, including Safari and Edge, never fully implemented it or have since dropped support.[5] As of 2025, HPKP is obsolete and unsupported in all major web browsers, rendering it ineffective for new deployments and advising against its use in favor of modern PKI safeguards.[5][6]
Background
History and Development
HTTP Public Key Pinning (HPKP) originated from efforts by Google to address vulnerabilities in the public key infrastructure (PKI) for web security. In November 2011, Google engineers Chris Evans and Chris Palmer submitted the initial Internet-Draft titled "Public Key Pinning Extension for HTTP" to the Internet Engineering Task Force (IETF), marking the formal proposal of the mechanism.[7] This draft introduced the concept of using an HTTP header to instruct user agents to associate specific public keys with a host, thereby mitigating risks from compromised certificate authorities.
The proposal was developed within the IETF's Web Security (WebSec) Working Group, which focused on enhancing HTTPS protections. HPKP evolved alongside other initiatives like HTTP Strict Transport Security (HSTS), contributing to a broader push for standardized web security measures to prevent man-in-the-middle attacks through improved certificate handling.[8] Over the following years, multiple revisions of the draft incorporated feedback, with Ryan Sleevi joining as a co-author in later versions to refine the specification.
A key milestone occurred in 2014 when Google implemented HPKP support in Chrome version 38, enabling early adoption and testing of the feature in production environments.[9] The effort culminated in April 2015 with the publication of RFC 7469 as a Proposed Standard, formally defining the Public Key Pinning Extension for HTTP and authored by Evans, Palmer, and Sleevi.[10] This document established HPKP as a proposed standard, though its evolution highlighted ongoing debates about its practical deployment and risks.
Security Motivations
HTTP Public Key Pinning (HPKP) was primarily developed to mitigate man-in-the-middle (MITM) attacks that exploit compromised certificate authorities (CAs), where attackers could obtain fraudulent certificates to impersonate legitimate websites.[8] In such scenarios, a compromised CA can issue certificates for any domain, allowing attackers to intercept and decrypt HTTPS traffic without detection, as clients trust the CA's signature on the certificate chain.[11]
The vulnerabilities in the public key infrastructure (PKI) stem from the hierarchical trust model, where clients rely on a chain of CA signatures rather than directly verifying the server's public key, creating multiple points of failure if any CA in the chain is breached.[11] A prominent example is the 2011 DigiNotar breach, in which hackers compromised the Dutch CA and issued over 500 fraudulent certificates for domains like Google and Microsoft, enabling widespread MITM attacks primarily targeting Iranian users. This incident highlighted how even a single compromised CA could undermine global trust in the PKI ecosystem, as browsers and operating systems inherently trust numerous CAs without granular validation.
HPKP addresses these issues by allowing websites to specify and pin particular public keys or hashes, enforcing that future connections only accept certificates backed by those exact keys, thereby bypassing reliance on potentially untrustworthy CA signatures.[8] This mechanism strongly asserts the site's cryptographic identity, even against issuer malfeasance or compromise, reducing the attack surface from the entire CA hierarchy to a controlled set of keys.[8]
For high-value sites handling sensitive data, such as financial institutions or government portals, HPKP provides enhanced protection against key substitution attacks by limiting the valid certificate options to pre-approved pins, significantly raising the bar for adversaries attempting to forge trusted connections.[8] This targeted approach ensures that the pinned keys remain the sole basis for authentication during the pinning period, offering a more robust defense than CA-only validation.[8]
Technical Mechanism
Pinning Process
The pinning process in HTTP Public Key Pinning (HPKP) begins when a server, during a secure transport connection such as TLS, includes the Public-Key-Pins HTTP response header in its message to the user agent (UA), typically a web browser. This header instructs the UA to associate a set of cryptographic public keys, known as a pin-set, with the host's domain for a specified duration. The header must include at least the max-age directive, indicating the number of seconds (e.g., 2592000 for 30 days) the pin-set remains valid, and one or more pin-sha256 directives specifying base64-encoded SHA-256 hashes of the public keys to pin.[12]
Upon receiving a valid Public-Key-Pins header over a secure connection, the UA extracts the pin-set and marks the host as a Known Pinned Host. It then stores the domain name, the effective date of pinning (the current time), the expiration time (effective date plus max-age), and the pin-set hashes in its local storage. Pins are computed by taking the Subject Public Key Info (SPKI) structure from X.509 certificates—specifically, the DER-encoded public key data—and hashing it with SHA-256, then encoding the result in base64. This process ensures that only the specified public keys are trusted for future interactions with the host, preventing the use of unauthorized certificates issued by compromised certificate authorities.[13][14]
For subsequent connections to the pinned host within the max-age period, the UA performs pin-set validation by examining the entire certificate chain presented by the server. It computes SHA-256 SPKI hashes for the end-entity certificate and each intermediate certificate in the chain, then checks whether at least one of these hashes matches a hash in the stored pin-set. To support key rotation—such as transitioning to a new certificate—the pin-set typically includes a backup pin, which is a hash of a future public key not currently in use but expected to be valid later. If the intersection between the presented chain's hashes and the stored pin-set is non-empty (i.e., at least one valid pin matches), the connection proceeds; otherwise, validation fails.[15][16]
In enforcement mode, which is the default for HPKP, a pin validation failure is treated as a non-recoverable error. The UA immediately terminates the connection without allowing user overrides or fallbacks, ensuring strict adherence to the pinned keys and mitigating risks from impersonation attacks. This includes scenarios where the entire pin-set mismatches or where technical issues, such as an expired max-age, prevent validation, in which case the UA falls back to standard certificate verification until a new header refreshes the pins. Site operators must carefully manage pin-sets to include backup pins, as a failure to do so could lock users out if keys are rotated without prior announcement.[15]
The HTTP Public-Key-Pins header, defined in RFC 7469, instructs user agents to associate specific cryptographic public keys with a web host, enabling pinning to prevent impersonation by unauthorized certificates.[1] The header follows the general syntax Public-Key-Pins: <directive>*(OWS ";" OWS <directive>), where directives are case-insensitive and their order does not matter; unrecognized directives are ignored, and the header must appear at most once per response.[1] Key directives include max-age, includeSubDomains, pin-sha256, and the optional report-uri.[1]
The max-age directive is mandatory and specifies the time period, in seconds, for which the pinning policy applies, using the format max-age=<delta-seconds> where <delta-seconds> is a positive integer.[1] For example, max-age=518400 sets the policy for 6 days (518,400 seconds).[1] User agents may enforce an upper limit on this value, such as 5,184,000 seconds (60 days), to balance security with operational flexibility.[1]
The includeSubDomains directive, when present without a value, extends the pinning policy to all subdomains of the host unless overridden by a more specific policy.[1] It is optional and useful for sites with subdomain architectures sharing the same certificate authority.
The pin-sha256 directive pins specific public keys by including their base64-encoded SHA-256 hashes of the Subject Public Key Info (SPKI), in the format pin-sha256="<base64 SHA-256 hash>"; at least one such directive is required, and multiple can be specified.[1] These hashes represent either the server's current public key or backup keys not present in the existing certificate chain, as computed from the DER-encoded SPKI structure (detailed in the pinning process).[1] For instance, pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" pins a specific key.
The optional report-uri directive specifies a URI endpoint for reporting pinning violations, using the format report-uri="<absolute-URI>", such as report-uri="https://example.com/report".[1] It enables server-side monitoring without enforcing the policy.
A sample header for a site pinning its primary key and a backup might read:
Public-Key-Pins: max-age=3000; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; includeSubDomains
Public-Key-Pins: max-age=3000; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; includeSubDomains
This sets a 50-minute policy (3,000 seconds) applying to subdomains, pinning two keys.[1] Another example, including reporting, is:
Public-Key-Pins: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; report-uri="https://example.com/pkp-report"
Public-Key-Pins: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; report-uri="https://example.com/pkp-report"
This applies a 30-day policy (2,592,000 seconds) with a single backup pin and violation reporting.[1]
Constraints include the requirement for at least two pins: one matching a key in the current certificate chain and at least one backup to avoid self-denial-of-service.[1] While max-age can be as low as 1 second, practical deployments typically use values of several days or more to ensure effective policy enforcement, with 60 days as a common upper recommendation.[1] User agents limit the number of pins processed, often to around 10, but operators are advised to use 1-2 primary pins plus backups for simplicity and reliability.[1]
Reporting and Enforcement
Report-Only Mode
The Public-Key-Pins-Report-Only header provides a non-enforcing variant of HTTP Public Key Pinning (HPKP), enabling site operators to deploy and test pinning policies without interrupting user access to the site.[1] This header uses the same directive syntax as the enforcing Public-Key-Pins header but instructs user agents to evaluate the policy only for reporting purposes, rather than blocking connections on validation failures.[17] By design, it allows administrators to monitor potential issues in real-world scenarios, such as mismatched public keys during certificate rotations, thereby facilitating safer experimentation.[18]
In terms of browser behavior, user agents process the Public-Key-Pins-Report-Only header by validating the current connection against the specified pins but do not store or cache the policy for future use, as the max-age directive is ignored.[19] If a violation is detected—such as when the served certificate chain does not match any pinned key—the browser generates a report but proceeds with the connection uninterrupted, in contrast to the enforcing mode which would terminate the session.[17] This one-time evaluation per response ensures that testing remains isolated to the immediate request, minimizing unintended side effects.[20]
The primary purpose of this mode is to support gradual rollout and validation of pin-sets, allowing operators to collect violation data and refine configurations before enabling enforcement.[18] For instance, it is recommended for initial deployments on production sites with a short max-age value to observe behavior across diverse user agents, or for A/B testing on subsets of resources to verify pin validity without broad disruption.[18] This approach helps build confidence in the pinning strategy, as reports can reveal issues like incomplete sub-domain coverage or key backup omissions early in the process.[18]
Violation Reporting
Violation reporting in HTTP Public Key Pinning (HPKP) is triggered when a user agent encounters a pin validation failure for a known pinned host that includes a report-uri directive in its policy, whether in enforcing or report-only mode.[21] This mechanism allows site operators to receive notifications of potential issues, such as mismatched certificates or compromised keys, without necessarily blocking the connection in report-only mode.[22]
The report is sent as an HTTP POST request to the URI specified in the report-uri directive, containing a JSON payload with detailed information about the violation.[21] Key fields in the JSON include:
date-time: The time of the validation failure, formatted according to RFC 3339.[21]hostname: The hostname of the original request.[21]port: The port number of the request, as an integer.[21]effective-expiration-date: The expiration date of the pins, in RFC 3339 format.[21]include-subdomains: A boolean indicating whether the includeSubDomains directive was present.[21]noted-hostname: The hostname recognized as a known pinned host.[21]served-certificate-chain: An array of PEM-encoded certificates from the served chain.[21]validated-certificate-chain: An array of PEM-encoded certificates from the validated chain.[21]known-pins: An array of the pinned Subject Public Key Info (SPKI) fingerprints.[21]
User agents are required to make a best-effort attempt to deliver these reports but may cancel transmission if the connection to the report-uri itself fails pin validation or encounters other certificate errors.[22]
Browser implementations varied in support for HPKP violation reporting. Google Chrome, starting with version 46, sent reports for violations detected via the Public-Key-Pins-Report-Only header, applying validation to all relevant requests including those to the report endpoint, and recommended using an unpinned domain for the report-uri to avoid recursive failures.[20] Mozilla Firefox did not implement the report-uri directive for HPKP reporting, limiting its support to enforcement without notifications.[23] To prevent abuse or server overload, user agents implemented rate-limiting, such as avoiding redundant reports for identical pin sets, and could retry failed deliveries under certain conditions.[22]
Upon receipt, servers can analyze these reports to identify issues like invalid pins or key compromises, enabling operators to update pin sets, revoke affected keys, or refine policies accordingly.[22]
Criticisms and Risks
Implementation Challenges
Implementing HTTP Public Key Pinning (HPKP) presents several practical difficulties in deployment and maintenance, primarily due to the need for precise coordination between certificate management and client-side enforcement. Operators must possess significant operational maturity to avoid self-inflicted denials of service, as mismatched pins can render sites inaccessible to users whose browsers have cached the headers.[24]
Key rotation poses a major challenge, as certificate renewals often introduce new public keys that must be anticipated and incorporated into pinsets well in advance. Without careful planning, sites risk locking out users during transitions, particularly since browsers enforce pins for the duration specified by the max-age directive, which user agents may cap at 60 days to allow recovery from errors. To mitigate this, operators are advised to phase in new keys gradually and include backup pins—fingerprints of secondary, offline keys—for failover, ensuring at least one valid pin remains available even if the primary key is compromised or expires unexpectedly.[25][13][26]
Deploying HPKP in distributed environments, such as those using load balancers or content delivery networks (CDNs), introduces complications from inconsistent certificate usage across infrastructure components. Load-balanced systems may present different valid certificates depending on geographic location or backend server, necessitating comprehensive pinsets that encompass all potential keys to prevent violations. CDNs exacerbate this by frequently rotating edge certificates for security reasons, which can invalidate pins and cause widespread outages if not synchronized with the origin server's headers.[27][28]
Debugging HPKP violations is hindered by common configuration errors, such as incorrect hash generation (e.g., using SHA-1 instead of SHA-256) or failing to account for subdomain variations when the includeSubDomains directive is enabled. These mistakes often manifest as browser errors like ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, requiring operators to verify pinsets against all trust chains and test across multiple user agents. The trust-on-first-use model further complicates troubleshooting, as initial misconfigurations can propagate without immediate feedback unless report-uri is utilized to log violations.[27][29]
The operational overhead of HPKP is substantial, involving continuous monitoring of violation reports, real-time synchronization of client pinsets with server keys, and periodic updates to max-age values without introducing downtime. This demands dedicated resources for auditing and maintaining pinsets, especially in dynamic environments, where even minor desynchronizations can lead to service disruptions.[24][27]
Security Trade-offs
HTTP Public Key Pinning (HPKP) provides robust defense against man-in-the-middle (MITM) attacks enabled by compromised certificate authorities (CAs) by restricting browsers to predefined public keys, but this comes at the cost of heightened operational risks for site operators.[8] The mechanism enforces strict key validation, which can enhance security in targeted scenarios but introduces vulnerabilities if not managed meticulously, as evidenced by its eventual deprecation in major browsers due to these imbalances.[3]
A primary risk is brickage, where a website becomes permanently inaccessible to users if the private keys corresponding to pinned public keys are lost or if pins are misconfigured, such as through expiration without proper renewal.[8] Without adequate backup pins—secondary keys stored offline to allow recovery—browsers will reject all connections to the domain once the maximum age period elapses, potentially locking out legitimate users for weeks or months depending on the configured duration.[8] This self-inflicted denial-of-service scenario has been cited as a key reason for HPKP's limited adoption and subsequent removal, as the recovery window is intentionally narrow to maintain security.[3]
HPKP also diminishes flexibility within the CA ecosystem by circumventing the broader trust model of public key infrastructure (PKI), where sites rely on multiple CAs for redundancy.[8] By pinning specific subject public keys or issuer keys, sites forgo the ability to seamlessly switch CAs or incorporate new ones without updating pins, which requires broadcasting new headers and waiting out the max-age period—often 30 to 60 days—to avoid brickage.[8] This rigidity complicates multi-vendor certificate management and adaptation to evolving PKI standards, trading short-term security gains for long-term operational constraints.[30]
The protocol expands the attack surface in subtle ways, particularly through its reporting and backup mechanisms. Violation reports sent to a designated URI could be intercepted if not secured with HTTPS, potentially leaking sensitive validation details to adversaries, though user agents mitigate this by limiting report frequency.[8] Compromised backup pins pose another threat: since backups are public, an attacker gaining the associated private key could perform persistent MITM attacks during the transition period, undermining the very protections HPKP aims to provide.[8] These exposures, combined with the potential for hostile pinning via initial MITM before enforcement, highlight how HPKP shifts risks from CA dependencies to key management intricacies.[3]
In terms of comparative efficacy, HPKP excels at thwarting CA breaches by invalidating unauthorized certificates, even from trusted issuers, offering stronger safeguards than standard TLS validation alone.[8] However, it provides limited defense against threats like DNS spoofing, where an attacker redirects traffic to a malicious server; while pin mismatches would block such connections, the mechanism does not address the underlying resolution vulnerabilities, leaving sites exposed if DNS integrity is compromised upstream.[30] Overall, its narrow focus on key pinning renders it less versatile than holistic alternatives like Certificate Transparency, which monitor issuance without enforcing rigid locks.[3]
Deprecation and Legacy
Browser Support Timeline
HTTP Public Key Pinning (HPKP) saw its initial browser adoption in 2014 with Google Chrome version 37, released in September 2014, which introduced support for the mechanism to enhance certificate security against mis-issuance attacks.[5] This was followed by Mozilla Firefox in version 35, launched in January 2015, enabling users to enforce pinned public keys via HTTP headers.[5] Opera, based on the Chromium engine, integrated HPKP in version 25 in 2015.[5]
By 2016, HPKP reached peak support across major browsers, with Chrome, Firefox, and Opera providing full enforcement of pinning policies, allowing websites to specify and validate cryptographic identities for extended periods.[9] This widespread availability marked a brief era of robust implementation, where browsers actively blocked connections to sites using untrusted certificates if they violated pinned keys, contributing to heightened security for HTTPS deployments during that time.
Deprecation began in 2019 amid concerns over usability and risks. Google Chrome version 72, released in January 2019, fully removed HPKP support, transitioning any remaining dynamic pinning to report-only mode without enforcement to avoid site breakage.[31] Similarly, Mozilla Firefox version 72, released in December 2019, disabled HPKP enforcement by default, setting the pinning level to report-only and ceasing active validation of new pins.[4]
As of November 2025, no major browser enforces HPKP policies, rendering the mechanism obsolete for new implementations.[5]
Alternatives to HPKP
Certificate Transparency (CT) serves as a primary alternative to HPKP by establishing a system of publicly verifiable logs for all issued TLS certificates, enabling domain owners and subscribers to monitor and detect unauthorized or mis-issued certificates in near real-time. This framework uses append-only Merkle trees to record certificates, with Signed Certificate Timestamps (SCTs) embedded in certificates or delivered via TLS extensions, allowing browsers to verify compliance without relying on site-specific key pinning. Since April 30, 2018, Google Chrome has mandated CT inclusion for all publicly trusted certificates issued after that date, treating non-compliant ones as invalid; similar requirements have been adopted by other major browsers, such as Firefox enforcing it for public CAs starting in version 135 (February 2025).[32][33]
The Expect-CT HTTP header acted as a precursor to full CT enforcement, instructing browsers to check for SCTs in a report-only mode and report violations, thereby encouraging compliance during the transition period. Introduced by Google in 2018, it allowed sites to opt into CT validation with a configurable max-age and report-uri for violations, but it became obsolete as mandatory CT took effect, leading to its deprecation in Chrome 105 in August 2022 and removal in subsequent versions.[34][35]
Certification Authority Authorization (CAA) DNS records provide another key alternative by allowing domain owners to specify which certificate authorities (CAs) are permitted to issue certificates for their domains, effectively restricting mis-issuance at the issuance stage without the rigidity of key pinning. Defined in RFC 8659, CAA records include tags like "issue" to authorize specific CAs and "iodef" for reporting unauthorized attempts; CAs have been required to query and respect these records before issuing certificates since September 2017 under CA/Browser Forum Ballot 187. When combined with DNSSEC for cryptographic validation of DNS responses, CAA enables multi-perspective validation, where issuance checks occur from multiple network vantage points to mitigate localized attacks like BGP hijacking. Starting in September 2025, the CA/Browser Forum's Multi-Perspective Issuance Corroboration (MPIC) requirement further strengthens this by mandating consistent validation results across independent perspectives for domain control and CAA checks.[36][37]
Emerging standards for key attestation, such as those defined by the FIDO Alliance, support device-bound keys through mechanisms like the Attestation Application Identifier (AAID), which identifies the authenticator type and enables verification of key generation and storage within secure hardware environments. These protocols, part of FIDO2 and WebAuthn specifications, provide pinning-like assurances for authentication credentials by attesting that keys are bound to specific devices and resistant to extraction, offering an alternative in scenarios beyond TLS where key compromise must be prevented.
For modern deployments seeking HPKP-like security, experts recommend combining HTTP Strict Transport Security (HSTS) with preload lists—where sites submit to browser-maintained lists for enforced HTTPS redirection—and Certificate Transparency for ongoing monitoring, as this layered approach mitigates impersonation risks without the potential for self-denial-of-service inherent in pinning. This strategy has been endorsed by browser vendors and security standards bodies as a balanced, scalable solution since HPKP's deprecation.[38][2]