Compare Revisions
Public-Key-Pins
Revision 1145834:
Revision 1145834 by fscholz on
Revision 1146566:
Revision 1146566 by fscholz on
- Title:
- Public-Key-Pins
- Public-Key-Pins
- Slug:
- Web/HTTP/Headers/Public-Key-Pins
- Web/HTTP/Headers/Public-Key-Pins
- Tags:
- "HPKP" "HTTP" "Reference" "Security" "header"
- "HPKP" "HTTP" "Reference" "Security" "header"
- Content:
-
Revision 1145834 Revision 1146566 n 50 One or more pins. n 50 The quoted string is the Base64 encoded Subject Public Ke > y Information ({{Glossary("SPKI")}}) fingerprint. It is possible > to specify multiple pins for different public keys. Some browsers > might allow other hashing algorithms than SHA-256 in the future. n 53 max-age=<expire-time> {{optional_inline}} n 53 max-age=<expire-time> n 56 tbd n 56 The time, in seconds, that the browser should remember th > at this site is only to be accessed using one of the defined keys > . n 62 tbd n 62 If this optional parameter is specified, this rule applie > s to all of the site's subdomains as well. n 68 tbd n 68 If this optional parameter is specified, pin validation f > ailures are reported to the given URL. n 71 <h2 id="Examples"> n 71 <h2 id="Example"> 72 Examples 72 Example n n 74 <pre> 75 Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+s > oZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPW > E="; max-age=5184000; includeSubDomains; report-uri="https://www. > example.org/hpkp-report" 76 </pre> t 75 tbd t 78 In this example, <strong>pin-sha256="cUPcTAZWKaASuYWhhneDtt > WpY3oBAkE3h2+soZS7sWs="</strong> pins the server's public key use > d in production. The second pin declaration <strong>pin-sha256="M > 8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="</strong> also pins t > he backup key. <strong>max-age=5184000</strong> tells the client > to store this information for two months, which is a reasonable t > ime limit according to the IETF RFC. This key pinning is also val > id for all subdomains, which is told by the <strong>includeSubDom > ains</strong> declaration. Finally, <strong>report-uri="https://w > ww.example.org/hpkp-report"</strong> explains where to report pin > validation failures.