Revision 1146566 of Public-Key-Pins

  • Revision slug: Web/HTTP/Headers/Public-Key-Pins
  • Revision title: Public-Key-Pins
  • Revision id: 1146566
  • Created:
  • Creator: fscholz
  • Is current revision? No
  • Comment
Tags: 

Revision Content
{{HTTPSidebar}}

The HTTP Public-Key-Pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of {{Glossary("MITM")}} attacks with forged certificates.

Header type {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}} no

Syntax

Public-Key-Pins: pin-sha256="<pin-value>"; 
                 max-age=<expire-time>; 
                 includeSubDomains; 
                 report-uri="<uri>"

Directives

pin-sha256="<pin-value>"
The quoted string is the Base64 encoded Subject Public Key Information ({{Glossary("SPKI")}}) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future.
max-age=<expire-time>
The time, in seconds, that the browser should remember that this site is only to be accessed using one of the defined keys.
includeSubDomains {{optional_inline}}
If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
report-uri="<uri>" {{optional_inline}}
If this optional parameter is specified, pin validation failures are reported to the given URL.

Example

Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubDomains; report-uri="https://www.example.org/hpkp-report"

In this example, pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=" pins the server's public key used in production. The second pin declaration pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=" also pins the backup key. max-age=5184000 tells the client to store this information for two months, which is a reasonable time limit according to the IETF RFC. This key pinning is also valid for all subdomains, which is told by the includeSubDomains declaration. Finally, report-uri="https://www.example.org/hpkp-report" explains where to report pin validation failures.

Specifications

Specification Title
{{RFC("7469", "Public-Key-Pins", "2.1")}} Public Key Pinning Extension for HTTP

Browser compatibility

{{Compat("http/headers/public-key-pins")}}

See also

  • {{HTTPHeader("Public-Key-Pins-Report-Only")}}

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The HTTP <code><strong>Public-Key-Pins</strong></code> response header associates a specific cryptographic public key with a certain web server to decrease the risk of {{Glossary("MITM")}} attacks with forged certificates.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">Header type</th>
   <td>{{Glossary("Response header")}}</td>
  </tr>
  <tr>
   <th scope="row">{{Glossary("Forbidden header name")}}</th>
   <td>no</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<pre class="syntaxbox">
Public-Key-Pins: pin-sha256="&lt;pin-value&gt;"; 
                 max-age=&lt;expire-time&gt;; 
                 includeSubDomains; 
                 report-uri="&lt;uri&gt;"</pre>

<h2 id="Directives">Directives</h2>

<dl>
 <dt><code>pin-sha256="&lt;pin-value&gt;"</code></dt>
 <dd>The quoted string is the Base64 encoded Subject Public Key Information ({{Glossary("SPKI")}}) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future.</dd>
 <dt>max-age=&lt;expire-time&gt;</dt>
 <dd>The time, in seconds, that the browser should remember that this site is only to be accessed using one of the defined keys.</dd>
 <dt><code>includeSubDomains </code>{{optional_inline}}</dt>
 <dd>If this optional parameter is specified, this rule applies to all of the site's subdomains as well.</dd>
 <dt><code>report-uri="&lt;uri&gt;"</code> {{optional_inline}}</dt>
 <dd>If this optional parameter is specified, pin validation failures are reported to the given URL.</dd>
</dl>

<h2 id="Example">Example</h2>

<pre>
Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubDomains; report-uri="https://www.example.org/hpkp-report"</pre>

<p>In this example, <strong>pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="</strong> pins the server's public key used in production. The second pin declaration <strong>pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="</strong> also pins the backup key. <strong>max-age=5184000</strong> tells the client to store this information for two months, which is a reasonable time limit according to the IETF RFC. This key pinning is also valid for all subdomains, which is told by the <strong>includeSubDomains</strong> declaration. Finally, <strong>report-uri="https://www.example.org/hpkp-report"</strong> explains where to report pin validation failures.</p>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Title</th>
  </tr>
  <tr>
   <td>{{RFC("7469", "Public-Key-Pins", "2.1")}}</td>
   <td>Public Key Pinning Extension for HTTP</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat("http/headers/public-key-pins")}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Public-Key-Pins-Report-Only")}}</li>
</ul>
Revert to this revision