locked
HTTP Public Key Pinning (HPKP) RRS feed

  • Question

  • User919378809 posted

    I am implementing HPKP as per security team request.  I added this element under header tag in config file and deployed application to server but after deploying the application it stop working.

    <customHeaders>
    <add name="Public-Key-Pins" value="pin-sha256=@@@@@@@@@@@; max-age=5184000; includeSubDomains"/>
    </customHeaders>

    pin-sha256=@@@@@@@@@@@ - actual key was replaced by @ and the original key was provided by the security team.

    Please let me know the above config information is correct or not? 
    Please let me know what is the behavior if we provide wrong pin-sha256 key?

    Thanks

    Selvakumar R

    Thursday, January 31, 2019 6:05 PM

All replies

  • User-893317190 posted

    Hi Selvakumar Ramachandran,

    HPKP is used to prevent MITM in client and server communication through https.

    Does your website use https?

    If your pin-sha256 is wrong, the client(browser) will look for a wrong public key  of a certificate  in the certificate chain, then the client should present a warning to the user.

    You could refer to MDN for the right format of Public-Key-Pins header, it is at the bottom of the page.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

    Best regards,

    Ackerly Xu

    Friday, February 1, 2019 2:14 AM