Home/ Glossary/ Certificate Pinning / HPKP

Certificate Pinning / HPKP (Certificate Pinning)

Security Glossary - SSL/TLS

Definition: Certificate pinning restricts which certificates a client accepts for a specific domain by binding (pinning) the domain to specific public keys or certificates. HTTP Public Key Pinning (HPKP) was a browser-based pinning mechanism that has been deprecated due to the risk of bricking sites if misconfigured.

Why Certificate Pinning Matters

Certificate pinning was designed to protect against rogue or compromised CAs issuing fraudulent certificates. Even if an attacker obtains a valid certificate from a different CA, a pinned client would reject it because the public key does not match the pinned value.

HPKP was removed from browsers because of its extreme risk profile. If a site operator set incorrect pins, lost their pinned keys, or needed to switch CAs, the site became completely inaccessible to browsers that had cached the pins - potentially for weeks. Several high-profile incidents demonstrated this risk, and the browser community concluded that Certificate Transparency was a safer solution to the same problem.

Certificate pinning still exists in mobile apps and API clients where the developer controls both ends of the connection. Mobile app pinning is a legitimate security measure, though it requires careful key rotation planning. For websites, CT monitoring has replaced pinning as the recommended approach to detecting unauthorized certificates.

How to Test for Certificate Pinning

Check if your server sends the deprecated Public-Key-Pins header using a security audit tool. If present, you should remove it - HPKP is no longer supported by major browsers and can cause availability problems. For mobile apps, pinning configuration is checked during app security testing.

Check SSL Certificate

Frequently Asked Questions

Should I use certificate pinning on my website?
No. HPKP has been deprecated and removed from browsers. Use Certificate Transparency monitoring instead to detect unauthorized certificates for your domain. CT provides the detection benefit without the risk of self-inflicted outages.
Is certificate pinning still useful for mobile apps?
Yes, certificate pinning in mobile apps remains a valid security measure for high-security applications like banking. It prevents man-in-the-middle attacks even when a device has a rogue CA certificate installed. However, it requires careful implementation and key rotation planning.

Related Terms

Certificate Transparency SSL/TLS Certificate Certificate Authority HTTP Strict Transport Security Man-in-the-Middle Attack
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.