HPKP
also: Public-Key-Pins, HTTP Public Key Pinning
HPKP (HTTP Public Key Pinning) is a security mechanism that allows websites to instruct browsers to associate them with specific public key certificates, preventing man-in-the-middle attacks using fraudulent certificates.
HPKP works by having a web server send an HTTP header that pins one or more public key hashes to a domain. When a browser receives this header, it remembers the pinned keys and will reject any SSL/TLS certificate that doesn't match one of those keys on subsequent visits within the specified time period.
For example, a server might send: Public-Key-Pins: pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000 This tells the browser to accept only certificates with those specific public keys for the next 60 days.
HPKP is particularly valuable when an attacker gains control of a Certificate Authority, preventing them from issuing fraudulent certificates that would still be trusted by browsers. However, it requires careful management—pinning to the wrong keys can make a site inaccessible.
Note: HPKP has largely fallen out of favor due to complexity and risk, with many browsers deprecating support in favor of alternative security approaches like Certificate Transparency and Expect-CT.