concept

HPKP

HTTP Public Key Pinning (HPKP) is a security mechanism that allows websites to instruct browsers to associate specific cryptographic public keys with their domain, preventing man-in-the-middle attacks by ensuring only authorized keys are used for future connections. It works by sending an HTTP header that pins the public keys, which browsers then enforce for a specified period. However, HPKP has been deprecated due to risks of misconfiguration leading to site lockouts and is no longer supported in modern browsers.

Also known as: HTTP Public Key Pinning, Public Key Pinning, HPKP header, RFC 7469, Key Pinning
🧊Why learn HPKP?

Developers should learn about HPKP primarily for historical context in web security, as it was used to enhance HTTPS by preventing certificate authority compromises or rogue certificates. It was relevant for high-security applications like banking or government sites, but its deprecation means modern alternatives like Certificate Transparency and Expect-CT headers are now preferred for similar security goals.

Compare HPKP

HPKP vs Certificate TransparencyHPKP vs Expect CtHPKP vs Hsts

Learning Resources

📄
MDN Web Docs: HTTP Public Key Pinning (HPKP)
docs
📄
RFC 7469: Public Key Pinning Extension for HTTP
docs
📄
Google Developers: Deprecating HPKP
docs
📝
OWASP: Certificate and Public Key Pinning
tutorial

Related Tools

HttpsTlsWeb SecurityCertificate TransparencyExpect Ct

Alternatives to HPKP

Certificate TransparencyExpect CtHsts