Public-Key-Pins HTTP Header: Syntax, Directive, Examples

Public-Key-Pins HTTP Header is a response header that is used to associate a specific cryptographic public key with a specific web server in order to reduce the risk of MITM attacks with forged certificates. A manipulator-in-the-middle attack (MitM) is when someone is in the middle of a communication between two systems. For example, a Wi-Fi router can be hacked into. There are still some browsers that don’t support it, though. Instead, make use of the Expect-CT and Certificate Transparency headers. Using an open platform, Certificate Transparency aims to guard against and keep track of certificates uncountable. In order to avoid the misuse of a site’s certificate from going unreported, the Expect-CT header allows sites to opt into reporting and/or enforcement of Certificate Transparency standards. There are multiple values for using the Public-Keys-Pins HTTP Header. The values for using the Public-Keys-Pins HTTP Header are “pin-sha256=”pin-value”, “max-age = expire-time”, “includeSubDomains”, “includeSubDomains”. An example of the Public-Keys-Pins HTTP Header is written below. 

Public-Key-Pins: 

  pin-sha256 = "cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs="; 
  pin-sha256 = "M8YztCzM3olS5P4ohyBNf6lHjmjAiKhrGPQE="; 
  max-age = 51000; 
  includeSubDomains; 

The Public-Key-Pins HTTP Header Response Header can be seen above. In this article, the Public-Keys-Pins HTTP Header Syntax, Directives and Uses example will be processed. 

What is a Public-Key-Pins HTTP Header?

The Public-Key-Pins HTTP Header response header is used to link a specific cryptographic public key to a specific web server in order to reduce the risk of MITM attacks with forged certificates. However, it is no longer supported and has been removed from modern browsers. Instead, use the Certificate Transparency and Expect-CT headers.

What is the Syntax of Public-Key-Pins HTTP Header?

The Public-Key-Pins HTTP Header uses multiple values in its syntax. The syntax for using the Public-Key-Pins HTTP Header is written below. 

Public-Key-Pins: pin-sha256="<pin-value>";
                 max-age=<expire-time>;
                 includeSubDomains;
                 report-uri="<uri>"

What are the Directives of Public-Key-Pins HTTP Header?

The Public-Keys-Pins HTTP Header has multiple directives. The directives used for the Public-Keys-Pins HTTP Header are listed below. 

pin-sha256="<pin-value>"

The quoted string is the Subject Public Key Information (SPKI) fingerprint in Base64 format. Multiple pins can be specified for different public keys. In the future, some browsers may support hashing algorithms other than SHA-256.

max-age=<expire-time>

The amount of time, in seconds, that the browser should remember that this site can only be accessed by using one of the defined keys.

includeSubDomains (Optional)

If this optional parameter is specified, this rule applies to all subdomains of the site.

report-uri="<uri>" (Optional)

Pin validation failures are reported to the given URL if this optional parameter is specified.

An example directive for using the Public-Keys-Pin HTTP Header is written below. 

Public-Key-Pins:

  pin-sha256="cUPcTAZWKaRSuYWhhneDppWpY3oBAkE3h2+soZS7sWs=";
  pin-sha256="M9HztCzM3elUxkcjR2S5P7thyBNf6lHkmjAHKhpGPWE=";
  max-age=5184000; includeSubDomains;
  report-uri="https://www.example.org/hpkp-report"

How to use a Public-Key-Pins HTTP Header?

To reduce the danger of MITM attacks with fake certificates, the Public-Key-Pins HTTP Header response header is used to associate a specific cryptographic public key with a specific web server. However, it is no longer supported and has been removed from newer browsers. Instead, use the Certificate Transparency and Expect-CT headers.

Examples of Public-Key-Pins HTTP Header Use

When you write pin-sha256=”cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=” you write the server’s public key that is used in production. The backup key is also pinned by the second pin declaration pin-sha256=”M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=”. max-age=5184000 instructs the client to keep this information for two months, which the IETF RFC considers to be a reasonable time limit. The includeSubDomains declaration indicates that this key pinning is also valid for all subdomains. Finally, report-uri=”https://www.example.org/hpkp-report” specifies where pin validation failures should be reported.

Public-Key-Pins: 

  pin-sha256 = "cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs="; 
  pin-sha256 = "M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE="; 
  max-age = 51000; 
  includeSubDomains; 
  report-uri = "https://www.geeksforgeeks.org/hpkp-report"

What is the Specification Document for Public-Key-Pins HTTP Header?

There is only one specification document for the Public-Key Pins HTTP Header which is the RFC 7469. RFC 7469 Public Key Pinning Extension for HTTP section 2.1. mention the Public-Key-Pins HTTP Header with the Public-Key-Pins-Report Only as a header field and inform its uses. Additionally, this article discusses the Public-Key-Pins HTTP Header’s definition, usage, and examples.

What is the type of Public-Key-Pins HTTP Header?

The HTTP Public-Key-Pins is a response header type that is used to associate a specific cryptographic public key with a specific web server in order to reduce the risk of MITM attacks using forged certificates.

What are the similar HTTP Headers to the Public-Key-Pins HTTP Header?

There are other similar HTTP to the Public-Key-Pins HTTP Header. An example is listed below. 

  • Public-Key-Pins-Report-Only: The HTTP Public-Key-Pins-Report-Only response header was used to send reports of pinning violations to the specified report-URI, but unlike Public-Key-Pins, it still allows browsers to connect to the server if the pinning is violated. The Public-Key-Pins HTTP and the Public-Key-Pins-Report-Only HTTP are both response headers.
  • Except-CT HTTP Header: The Expect-CT header allows sites to opt into Certificate Transparency reporting and/or enforcement, preventing the usage of missed issued certificates for that site from going unnoticed. The Public-Key-Pins HTTP Header enforces Certificate Transparency requirements in a similar way to the Except-CT Header.

Which Browsers Support Public-Key-Pins HTTP Header? 

There is no compatible browser for the Public-Key-Pins HTTP Header.

Holistic SEO
Follow SEO

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.